[Emerging-Sigs] gicia.info

Philipp Bescht philipp at bescht.de
Tue Jul 8 15:18:49 EDT 2008 

Looks good, but this one wouldnt catch
GET /cd/un.php?id=1C8E0A5E3A08956&ver=ig0
because $ver=ig0




On Tue, 08 Jul 2008 15:15:08 -0400
Matt Jonkman <jonkman at jonkmans.com> wrote:

> Ahh, ok. I thought those were across different infected hosts.
> 
> How about these for one sig then:
> uricontent:"/cd/"; uricontent:".php?id="; nocase;
> uricontent:"&ver=nz"; nocase;
> 
> And I'll keep it in current_events as it'll likely be obsolete in a 
> month or so.
> 
> Matt
> 
> Philipp Bescht wrote:
> > That wont work, because the value of $id changes, only the
> > parameters are still the same.
> > I posted about that host on castlecops a few months ago
> > (http://www.castlecops.com/t219733-iframe_loading_hxxp_cdpuvbhfzz_com_dl_adv598_php.html),
> > which shows another value:
> > hxxp://gicia.info/cd/cd.php?id=1-1C89D6591737ECD&ver=nz1 
> > 
> > 
> > Regards,
> > Philipp
> > 
> > 
> > 
> > On Tue, 08 Jul 2008 14:58:44 -0400
> > Matt Jonkman <jonkman at jonkmans.com> wrote:
> > 
> >> Great catch!
> >>
> >> We definitely want to avoid pcre if possible, and I think it is
> >> here. How about summarizing down to one sig just going for ".php",
> >> "1C8E0A5E" and "&ver="
> >>
> >> That cover the iterations correctly? If so I'll post it.
> >>
> >> Matt
> >>
> >> Philipp Bescht wrote:
> >>> hi,
> >>>
> >>> gicia.info is a c&c related to the injecteted domain
> >>> google-stat.net as mentioned in the recent ISC SANS diary ('Bad
> >>> url classification'). I came across this one a few months ago
> >>> already and noticed the uri parameters did not change. The
> >>> requests look like this:
> >>>
> >>> GET /cd/cd.php?id=1C8E0A5E3A08956&ver=nz1
> >>> GET /cd/un2.php?id=1C8E0A5E3A08956&ver=nz0
> >>> GET /cd/cd.php?id=1C8E0A5E3A08956&ver=nz0
> >>> GET /cd/cd.php?id=1-1C8E0A5E592D4D0&ver=nz1
> >>> GET /cd/un.php?id=1C8E0A5E3A08956&ver=ig0
> >>>
> >>> Now I propose the following 3 signatures:
> >>>
> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> >>> (msg:"gicia.info trojan activity"; flow:established,to_server;
> >>> uricontent:"/cd/cd.php?id="; nocase; uricontent:"&ver=nz"; nocase;
> >>> classtype:trojan-activity; sid:2009957; rev:1;)
> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> >>> (msg:"gicia.info trojan activity 2"; flow:established,to_server;
> >>> uricontent:"/cd/un2.php?id="; nocase; uricontent:"&ver=nz";
> >>> nocase; classtype:trojan-activity; sid:2009958; rev:1;)
> >>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> >>> (msg:"gicia.info trojan activity 3"; flow:established,to_server;
> >>> uricontent:"/cd/un.php?id="; nocase; uricontent:"&ver=ig"; nocase;
> >>> classtype:trojan-activity; sid:2009959; rev:1;)
> >>>
> >>> My question is: Is it better (in terms of performance) to sum
> >>> those up in one single signature using pcre, or is there anything
> >>> else to optimize (perhaps even using just the first signature and
> >>> skipping the others)?
> >>>
> >>> Thanks in advance and best regards,
> >>> Philipp
> >>> _______________________________________________
> >>> Emerging-sigs mailing list
> >>> Emerging-sigs at emergingthreats.net
> >>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

More information about the Emerging-sigs mailing list