[Emerging-Sigs] gicia.info

Matt Jonkman jonkman at jonkmans.com
Tue Jul 8 15:17:39 EDT 2008 

#by Philipp Bescht
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET 
CURRENT_EVENTS Gcia.info Related Trojan Checkin"; 
flow:established,to_server; uricontent:"/cd/"; uricontent:".php?id="; 
nocase; uricontent:"&ver="; nocase; content:"|0d 0a|Host\: gcia.info"; 
classtype:trojan-activity; sid:2008382; rev:1;)

Is what I meant, forgot to mention I was looking to hit on the hostname 
too for now.

Matt

Philipp Bescht wrote:
> That wont work, because the value of $id changes, only the parameters
> are still the same.
> I posted about that host on castlecops a few months ago
> (http://www.castlecops.com/t219733-iframe_loading_hxxp_cdpuvbhfzz_com_dl_adv598_php.html),
> which shows another value:
> hxxp://gicia.info/cd/cd.php?id=1-1C89D6591737ECD&ver=nz1 
> 
> 
> Regards,
> Philipp
> 
> 
> 
> On Tue, 08 Jul 2008 14:58:44 -0400
> Matt Jonkman <jonkman at jonkmans.com> wrote:
> 
>> Great catch!
>>
>> We definitely want to avoid pcre if possible, and I think it is here. 
>> How about summarizing down to one sig just going for ".php",
>> "1C8E0A5E" and "&ver="
>>
>> That cover the iterations correctly? If so I'll post it.
>>
>> Matt
>>
>> Philipp Bescht wrote:
>>> hi,
>>>
>>> gicia.info is a c&c related to the injecteted domain google-stat.net
>>> as mentioned in the recent ISC SANS diary ('Bad url
>>> classification'). I came across this one a few months ago already
>>> and noticed the uri parameters did not change. The requests look
>>> like this:
>>>
>>> GET /cd/cd.php?id=1C8E0A5E3A08956&ver=nz1
>>> GET /cd/un2.php?id=1C8E0A5E3A08956&ver=nz0
>>> GET /cd/cd.php?id=1C8E0A5E3A08956&ver=nz0
>>> GET /cd/cd.php?id=1-1C8E0A5E592D4D0&ver=nz1
>>> GET /cd/un.php?id=1C8E0A5E3A08956&ver=ig0
>>>
>>> Now I propose the following 3 signatures:
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"gicia.info trojan activity"; flow:established,to_server;
>>> uricontent:"/cd/cd.php?id="; nocase; uricontent:"&ver=nz"; nocase;
>>> classtype:trojan-activity; sid:2009957; rev:1;)
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"gicia.info trojan activity 2"; flow:established,to_server;
>>> uricontent:"/cd/un2.php?id="; nocase; uricontent:"&ver=nz"; nocase;
>>> classtype:trojan-activity; sid:2009958; rev:1;)
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>>> (msg:"gicia.info trojan activity 3"; flow:established,to_server;
>>> uricontent:"/cd/un.php?id="; nocase; uricontent:"&ver=ig"; nocase;
>>> classtype:trojan-activity; sid:2009959; rev:1;)
>>>
>>> My question is: Is it better (in terms of performance) to sum those
>>> up in one single signature using pcre, or is there anything else to
>>> optimize (perhaps even using just the first signature and skipping
>>> the others)?
>>>
>>> Thanks in advance and best regards,
>>> Philipp
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list