Palo Alto Networks Knowledgebase: How to verify the direction of spyware signatures for downloaders

How to verify the direction of spyware signatures for downloaders

(362 Views)
Created On 09/27/18 07:05 AM - Last Updated 09/27/18 15:23 PM
Categories:  Threat Intelligence,  Threat Prevention

Issue:


Solution:


This document describes how to verify the trigger direction of spyware signatures for downloaders that appear in the threat log.

 

Details

The signatures in the table below detect malicous downloaders attached to emails. The signatures work for both SMTP and POP3, in other words, they can detect both cases; a). when the attacker sends the file inbound over SMTP and b). when the victim downloads the file from the mailserver over POP3.

 

IDThreat NameDirection
13129JSDownloader.Gen Javascript Detectionserver-to-client
13606Nemucod.JSDownloader.Gen Javascript Detectionserver-to-client
13996JS.DownLoader.2332 Javascript Detectionserver-to-client
14119JSDownloader.Gen javascript Detectionserver-to-client
14283Locky.JSDownloader.Gen Javascript Detectionclient-to-server
14337LF.JSDownloader.Gen Javascript Detectionserver-to-client
14542KV.JSDownloader.Gen Javascript Detectionserver-to-client
14567Nemucod.JSDownloader.Gen Javascript Detectionserver-to-client
14613Locky.JSDownloader.Gen Javascript Detectionserver-to-client
14616Swabfex.JSDownloader.Gen Javascript Detectionserver-to-client
14680Dridex.JSDownloader.Gen Javascript Detectionserver-to-client
14700Locky.LNKDownloader.Gen Script Detectionserver-to-client
14834Locky.JSDownloader.Gen Javascript Detectionserver-to-client
14847Cerber.JSDownloader.Gen Javascript Detectionserver-to-client

 

The "direction" of the signatures is set as server-to-client except for ID: 14283(this is just for logging purposes in the threat log, they will still trigger in either direction). We have updated the "direction" of ID: 14283 to client-to-server in order to cover most common scenario.

 

 

Example

172.28.30.225 : POP3 server / SMTP server

192.168.226.225 : Mail client (User)

Threat ID : 14283

 

Malicious email is sent over the firewall from the client to the SMTP server, then the email is received from the POP3 server to the client.

 

Here's the part of the threat log exported as a csv file from the firewall.

User-added image

 

In case of POP3, since the direction is client-to-server, it looks as if the attack was performed by the user against the server from 192.168.226.225 to 172.28.30.225.

 

In the same manner, if the direction of the signature is server-to-client and in case of SMTP, the threat log appears in opposite direction.

 

This is a limitation of the way direction for writing the threat logs is designed for threat signatures and this is an expected result.

 

 

owner: ymiyashita

Attachments:

Actions:
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7jCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Change Language: