How to verify the direction of spyware signatures for downloaders

by ymiyashita on ‎12-22-2016 12:24 AM - edited on ‎01-03-2017 12:09 AM by (7,069 Views)

This document describes how to verify the trigger direction of spyware signatures for downloaders that appear in the threat log.

 

Details

The signatures in the table below detect malicous downloaders attached to emails. The signatures work for both SMTP and POP3, in other words, they can detect both cases; a). when the attacker sends the file inbound over SMTP and b). when the victim downloads the file from the mailserver over POP3.

 

ID Threat Name Direction
13129 JSDownloader.Gen Javascript Detection server-to-client
13606 Nemucod.JSDownloader.Gen Javascript Detection server-to-client
13996 JS.DownLoader.2332 Javascript Detection server-to-client
14119 JSDownloader.Gen javascript Detection server-to-client
14283 Locky.JSDownloader.Gen Javascript Detection client-to-server
14337 LF.JSDownloader.Gen Javascript Detection server-to-client
14542 KV.JSDownloader.Gen Javascript Detection server-to-client
14567 Nemucod.JSDownloader.Gen Javascript Detection server-to-client
14613 Locky.JSDownloader.Gen Javascript Detection server-to-client
14616 Swabfex.JSDownloader.Gen Javascript Detection server-to-client
14680 Dridex.JSDownloader.Gen Javascript Detection server-to-client
14700 Locky.LNKDownloader.Gen Script Detection server-to-client
14834 Locky.JSDownloader.Gen Javascript Detection server-to-client
14847 Cerber.JSDownloader.Gen Javascript Detection server-to-client

 

The "direction" of the signatures is set as server-to-client except for ID: 14283(this is just for logging purposes in the threat log, they will still trigger in either direction). We have updated the "direction" of ID: 14283 to client-to-server in order to cover most common scenario.

 

 

Example

172.28.30.225 : POP3 server / SMTP server

192.168.226.225 : Mail client (User)

Threat ID : 14283

 

Malicious email is sent over the firewall from the client to the SMTP server, then the email is received from the POP3 server to the client.

 

Here's the part of the threat log exported as a csv file from the firewall.

TID14283.png

 

In case of POP3, since the direction is client-to-server, it looks as if the attack was performed by the user against the server from 192.168.226.225 to 172.28.30.225.

 

In the same manner, if the direction of the signature is server-to-client and in case of SMTP, the threat log appears in opposite direction.

 

This is a limitation of the way direction for writing the threat logs is designed for threat signatures and this is an expected result.

 

 

owner: ymiyashita

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community