[Bro] Bro to detect Ransomware
Zied Turki
zied.turki at outlook.com
Tue Nov 17 01:19:40 PST 2015
Hello,
Thank you for the prompt reply.
I will try to do that.
Kind regards,
Zied
Date: Mon, 16 Nov 2015 14:31:06 -0800
Subject: Re: [Bro] Bro to detect Ransomware
From: anthony.kasza at gmail.com
To: zied.turki at outlook.com
CC: bro at bro.org
Most ransomware indicators are host based.
From a network monitoring perspective there are three things I can think of which you can look for with Bro.
1) Some families of ransomware will contact STUN services to geolocate themselves so they can display a ransom message in a native language. Look for connections to these services.
2) Some families of ransomware use tor for beaconing after initial execution. Looks for connections to Tor.
3) Email spam and exploit kits are known distribution mechanisms for a good amount of ransomware. Check hashes from inbound emails against VT and ensure your users aren't visiting known EK URLs.
-AK
On Nov 16, 2015 3:30 PM, "Zied Turki" <zied.turki at outlook.com> wrote:
Hi all,
I am new to Bro scripts and I am trying to build a platform to detect Ransomware like CyptoLocker using Bro IDS.
I
am wondering whether Bro mechanisms and Frameworks can be useful to
detect this kind of malware. Please, has anyone tried to built some
scripts to do that before ? Any ideas, please ?
Many thanks,
BR,
Zied
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20151117/0b86dc0f/attachment-0001.html
More information about the Bro
mailing list