Re: [OpenIOC] Citadel IOC

[Kelcey Tietjen]

You will need to change the MD5 to 91B64502A89D6C47D1ADBDE3EBBF2532 not "0x91B64502A89D6C47D1ADBDE3EBBF2532"

On Tue, Mar 12, 2013 at 11:11 AM, authorizedsamurai <authoriz...@gmail.com> wrote:

OR
  Network DNS contains msecure.ru
  Port Remote IP is 198.162.116.16
  Port Remote IP is 93.186.171.133
  Network DNS contains proscitomash.com
  Network DNS contains quliner.ru
  File MD5 is 0x91B64502A89D6C47D1ADBDE3EBBF2532
  Port Remote IP is 209.85.229.104

The first five items come from http://www.mcafee.com/us/resources/white-papers/wp-citadel-trojan.pdf.

The MD5 comes from http://www.threatexpert.com/report.aspx?md5=91b64502a89d6c47d1adbde3ebbf2532 (linked to by http://blog.malwarebytes.org/intelligence/2012/11/citadel-a-cyber-criminals-ultimate-weapon/).

And the last IP comes from the malwarebytes blog entry - it's the IP infected clients are redirected to when they try to access certain security sites.

As always, no warranties implied and comments, suggestions welcome.  For some reason I still can't attach files, so here's the IOC pasted below.

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="226666e7-e748-4488-8d86-a641614a4cfa" last-modified="2013-03-12T17:59:57" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>Citadel</short_description>
  <description>http://www.mcafee.com/us/resources/white-papers/wp-citadel-trojan.pdf
http://blog.malwarebytes.org/intelligence/2012/11/citadel-a-cyber-criminals-ultimate-weapon/
http://www.threatexpert.com/report.aspx?md5=91b64502a89d6c47d1adbde3ebbf2532</description>
  <authored_by>Megan</authored_by>
  <authored_date>2013-03-12T16:15:00</authored_date>
  <links />
  <definition>
    <Indicator operator="OR" id="28123200-9893-4bbf-8b8b-c202c618be64">
      <IndicatorItem id="f130f7fe-8d1d-498b-a9d8-47cec37d3922" condition="contains">
        <Context document="Network" search="Network/DNS" type="mir" />
        <Content type="string">msecure.su</Content>
      </IndicatorItem>
      <IndicatorItem id="1b619eb3-4c35-4c47-bc82-10962d5a4771" condition="is">
        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />
        <Content type="IP">198.162.116.16</Content>
      </IndicatorItem>
      <IndicatorItem id="219264d9-3355-4da8-81d6-10bfe8ae23de" condition="is">
        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />
        <Content type="IP">93.186.171.133</Content>
      </IndicatorItem>
      <IndicatorItem id="2124ea6c-a4b5-45d4-af46-3e42eec0901b" condition="contains">
        <Context document="Network" search="Network/DNS" type="mir" />
        <Content type="string">proscitomash.com</Content>
      </IndicatorItem>
      <IndicatorItem id="8e31fb06-9bf6-4d62-92b0-adb9daff567a" condition="contains">
        <Context document="Network" search="Network/DNS" type="mir" />
        <Content type="string">quliner.ru</Content>
      </IndicatorItem>
      <IndicatorItem id="40862803-fb91-492d-8f7f-136c7d5ebe49" condition="is">
        <Context document="FileItem" search="FileItem/Md5sum" type="mir" />
        <Content type="md5">0x91B64502A89D6C47D1ADBDE3EBBF2532</Content>
      </IndicatorItem>
      <IndicatorItem id="76533f85-34a2-4812-8311-9e96c07c913c" condition="is">
        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />
        <Content type="IP">209.85.229.104</Content>
      </IndicatorItem>
    </Indicator>
  </definition>
</ioc>

--
You received this message because you are subscribed to the Google Groups "OpenIOC" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openioc+u...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.