alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:misc-activity; sid:2012328; rev:6; metadata:created_at 2011_02_21, updated_at 2011_02_21;)

Added 2017-08-07 21:05:27 UTC


alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; content:!"|03|101|02|ru"; content:!"|07|9366858|02|ru"; classtype:misc-activity; sid:2012328; rev:6;)

Added 2017-06-27 18:46:15 UTC

This is a false positive:

1) 3332222.ru

2) 76.ru

3) 9186748.ru

All sites are scanned with virus total and are known by Google.

-- VaC - 2017-06-30

I think signature 2012649 can be updated also.

-- VaC - 2017-06-30


alert udp $HOME_NET any -> any 53 (msg:"ET MALWARE All Numerical .ru Domain Lookup Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru|00|"; fast_pattern; distance:0; nocase; pcre:"/\x00[\x02-\x1E][0-9]{2,30}\x02ru\x00/i"; classtype:misc-activity; sid:2012328; rev:5;)

Added 2012-03-15 10:52:25 UTC

It seems that there are false positives for domains:

I) 101.ru - it's a Russian online radio station, Google knows about it, no malicious behavior is noticed with virustotal II) 9366858.ru - it's an online shop of Chinease auto parts in Russia, numbers of 9366858 is a part of their mobile number. one of their mobile phone contacts: (812) 936-68-58, and email box 9219366858@mail.ru (here is a link on page of contact on their web-site: http://9366858.ru/kontakty-nashih-magazinov). VirusTotal? and other sites of checking web-site trust doesn't show any malicious behiour on this site.

-- VadymChakrian - 2017-06-26

Thanks, will get those negations in today!

-- DarienH - 2017-06-27


alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE All Numerical .ru Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru"; fast_pattern; distance:0; nocase; pcre:"/[\x02-\x1E][0-9]{2,30}\x02ru/i"; classtype:misc-activity; sid:2012328; rev:2;)

Added 2011-10-12 19:34:00 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE All Numerical .ru Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru"; fast_pattern; distance:0; nocase; pcre:"/[\x02-\x1E][0-9]{2,30}\x02ru/i"; classtype:misc-activity; sid:2012328; rev:2;)

Added 2011-04-08 18:04:15 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE All Numerical .ru Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru"; fast_pattern; pcre:"/[\x02-\x1E][0-9]{2,30}\x02ru/i"; distance:0; nocase; classtype:misc-activity; sid:2012328; rev:1;)

Added 2011-02-21 17:32:02 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE All Numerical .ru Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru"; fast_pattern; pcre:"/[\x02-\x1E][0-9]{2,30}\x02ru/i"; distance:0; nocase; classtype:misc-activity; sid:2012328; rev:1;)

Added 2011-02-21 17:31:52 UTC


alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET MALWARE All Numerical .ru Domain Likely Malware Related"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|ru"; fast_pattern; pcre:"/[\x02-\x1E][0-9]{2,30}\x02ru/i"; distance:0; nocase; classtype:misc-activity; sid:2012328; rev:1;)

Added 2011-02-21 16:59:46 UTC


Topic revision: r4 - 2017-06-30 - VaC
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats