SRX

Expand all | Collapse all

Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

Jump to Best Answer
  • 1.  Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

    Posted 03-20-2019 00:17

    Hi all,

     

     

    I'm try to search whether the juniper IPS signature have signature for blocking Monero Mining Malware but not found.

     

    https://cointelegraph.com/news/research-warns-familiar-monero-mining-malware-is-infecting-windows-systems

     

    Appreciate if someone can explain to me.

     

    Thanks



  • 2.  RE: Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

    Posted 03-20-2019 00:38

    I would not expect the IPS to block this kind of malware.

     

    This is more a task for the AV-engine or the Sky ATP file emulation service combined with the threatfeed for C&C servers (actually I do not know if C&C for crypto miners are in this category, you will have to ask Juniper SE's to get this information).

    It could also to some extend be accomplished by the enhanced webfilter blocking categories like "Compromised Websites", "Suspicious Content", "Bot Networks", "Potentially Unwanted Software" or similar.

    (all categories are listed here: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-category-web-filtering.html)

     

    If both AV and Sky ATP should have a chance catching this malware, I would also expect you should run ssl forward proxy on the SRX gateway to be able to scan https traffic.

     

    Sky ATP threatfeeds and Enhanced webfilter will work without ssl forward proxy.

     

    I hope this clarifies your options to mitigate this kind of threat.



  • 3.  RE: Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

    Posted 03-20-2019 16:22

    Hi

     

    It's look like the signture attack just been released yesterday. So my second question how to check whether this signature attack already bundle into "Recommnded" policy template or not. Because currently i'm using "Recommended" polic template.  Appreciate any one feedback

     

    srx5800> show security idp attack detail HTTP:BIT-COIN-MINING
    Display Name: HTTP: Bit-Coin Cryptocurrency Mining
    Severity: Major
    Category: HTTP
    Recommended: true
    Recommended Action: Drop
    Type: signature
    Direction: CTS
    False Positives: unknown
    Shellcode: no
    Flow: control
    Context: http-first-data-chunk
    Negate: false
    TimeBinding:
    Scope: none
    Count: 1
    Hidden Pattern: True
    Pattern: Protected



  • 4.  RE: Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?
    Best Answer

     
    Posted 03-27-2019 19:16

    Can you try "file show /var/db/idpd/sets/Recommnded.set | find "BIT-COIN-MINING" 

     

    ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB27134



  • 5.  RE: Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

    Posted 03-28-2019 00:55

    Hi rsuraj,

     

    Many thanks