[Emerging-Sigs] TROJAN Infection Checking Internet IP

RPG inittab at jtan.com
Sat Jan 3 18:15:29 EST 2009


Hello Everyone and Happy New Year!

Referencing existing sid 2008803 I think it might be useful to either
add the IP's for whatismyip.com to the sig, create a new sig with those
IP's added or create an all new rule.   It seems to be common for some
nasties to check their exit Internet IP's.  Obviously there are
legitimate uses for these sites but having a sig like this might be a
good marker for further research.  Here is one search result concerning
whatismyip.com:
http://threatexpert.com/reports.aspx?find=whatismyip.com


My first proposal is to create a new sig for just whatismyip.com, this
is based on sid 2008803 with the IP's changed, a new msg and new reference:

alert tcp $HOME_NET any ->
[72.233.89.198,72.233.89.199,72.233.89.200] $HTTP_PORTS
(msg:"ET TROJAN Possible Infection Obtaining Internet IP";
flow:to_server; classtype:trojan-activity;
reference:url,threatexpert.com/reports.aspx?find=whatismyip.com;
threshold:type both, count 5, seconds 60, track by_src;
sid:xxxxxxxx; rev:1;)


My second proposal is to simply update sig 2008803,
changed the description,
updated the IP for www.whatsmyipaddress.com,
updated the IP for getmyip.co.uk,
added the IP's for whatismyip.com,
and added a new reference,

alert tcp $HOME_NET any -> [66.114.124.141,81.144.213.187,
75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70,72.233.89.198,72.233.89.199,72.233.89.200]
$HTTP_PORTS (msg:"ET TROJAN Possible Infection Obtaining Internet IP";
flow:to_server; classtype:trojan-activity;
reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A;
reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml;
reference:url,threatexpert.com/reports.aspx?find=whatismyip.com;
threshold:type both, count 5, seconds 60, track by_src; sid:2008803; rev:3;)

Lastly, and this is my preference, perhaps an all new rule would be best
here, sigs based on IP's are obviously the most efficient but it's a
moving target.   What do ya'll think about making a rule using pcre that
looks for all of those Host's?  I know that pcre's are inefficient but
maybe it's the best way to go here.  I added an extra content search for
"ip" since all the host's have that 2 letter string, perhaps that will
lessen the load a bit.  thoughts?

Here is my proposal for that rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Possible Infection Obtaining Internet IP";
flow:to_server,established;
content:"Host|3A|"; nocase; content:"ip"; distance:0; nocase;
pcre:"/^Host\x3a[^\r\n]*(whatismyip\x2Ecom|checkip\x2Edyndns\x2Eorg|getmyip\x2Eorg|whatsmyipaddress\x2Ecom|getmyip\x2Eco\x2Euk)/smi";
reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A;
reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml;
reference:url,threatexpert.com/reports.aspx?find=whatismyip.com;
classtype:trojan-activity; sid:XXXXXXXXXXXXXXXXXXXX; rev:1;)

Let me know what you think.  Also, are there other common ip-checking
sites that should be added?

Cheers!
Bob




More information about the Emerging-sigs mailing list