SRX Services Gateway
Highlighted
SRX Services Gateway

Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

‎03-20-2019 12:16 AM

Hi all,

 

 

I'm try to search whether the juniper IPS signature have signature for blocking Monero Mining Malware but not found.

 

https://cointelegraph.com/news/research-warns-familiar-monero-mining-malware-is-infecting-windows-sy...

 

Appreciate if someone can explain to me.

 

Thanks

4 REPLIES 4
Highlighted
SRX Services Gateway

Re: Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

‎03-20-2019 12:37 AM

I would not expect the IPS to block this kind of malware.

 

This is more a task for the AV-engine or the Sky ATP file emulation service combined with the threatfeed for C&C servers (actually I do not know if C&C for crypto miners are in this category, you will have to ask Juniper SE's to get this information).

It could also to some extend be accomplished by the enhanced webfilter blocking categories like "Compromised Websites", "Suspicious Content", "Bot Networks", "Potentially Unwanted Software" or similar.

(all categories are listed here: https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-...)

 

If both AV and Sky ATP should have a chance catching this malware, I would also expect you should run ssl forward proxy on the SRX gateway to be able to scan https traffic.

 

Sky ATP threatfeeds and Enhanced webfilter will work without ssl forward proxy.

 

I hope this clarifies your options to mitigate this kind of threat.


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
SRX Services Gateway

Re: Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

‎03-20-2019 04:22 PM

Hi

 

It's look like the signture attack just been released yesterday. So my second question how to check whether this signature attack already bundle into "Recommnded" policy template or not. Because currently i'm using "Recommended" polic template.  Appreciate any one feedback

 

srx5800> show security idp attack detail HTTP:BIT-COIN-MINING
Display Name: HTTP: Bit-Coin Cryptocurrency Mining
Severity: Major
Category: HTTP
Recommended: true
Recommended Action: Drop
Type: signature
Direction: CTS
False Positives: unknown
Shellcode: no
Flow: control
Context: http-first-data-chunk
Negate: false
TimeBinding:
Scope: none
Count: 1
Hidden Pattern: True
Pattern: Protected

Highlighted
SRX Services Gateway
Solution
Accepted by topic author kronicklez
‎03-28-2019 12:56 AM

Re: Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

‎03-27-2019 07:16 PM

Can you try "file show /var/db/idpd/sets/Recommnded.set | find "BIT-COIN-MINING" 

 

ref: https://kb.juniper.net/InfoCenter/index?page=content&id=KB27134

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: Can someone confirm whether Juniper IPS has signature for Monero Mining Malware?

‎03-28-2019 12:55 AM

Hi rsuraj,

 

Many thanks