[Emerging-Sigs] TROJAN Infection Checking Internet IP

Matt Jonkman jonkman at jonkmans.com
Sun Jan 4 07:25:32 EST 2009


I really like the idea of sigs for the IP checking sites. There are a
bunch, but I think it'd be manageable to get the major ones used by the
majority of malware.

Is anyone aware of legitimate apps that use these sites? Other than home
users, tech support guys, etc. Any reason these sigs would false
positive more than they'd be useful?

Matt

RPG wrote:
> Hello Everyone and Happy New Year!
> 
> Referencing existing sid 2008803 I think it might be useful to either
> add the IP's for whatismyip.com to the sig, create a new sig with those
> IP's added or create an all new rule.   It seems to be common for some
> nasties to check their exit Internet IP's.  Obviously there are
> legitimate uses for these sites but having a sig like this might be a
> good marker for further research.  Here is one search result concerning
> whatismyip.com:
> http://threatexpert.com/reports.aspx?find=whatismyip.com
> 
> 
> My first proposal is to create a new sig for just whatismyip.com, this
> is based on sid 2008803 with the IP's changed, a new msg and new reference:
> 
> alert tcp $HOME_NET any ->
> [72.233.89.198,72.233.89.199,72.233.89.200] $HTTP_PORTS
> (msg:"ET TROJAN Possible Infection Obtaining Internet IP";
> flow:to_server; classtype:trojan-activity;
> reference:url,threatexpert.com/reports.aspx?find=whatismyip.com;
> threshold:type both, count 5, seconds 60, track by_src;
> sid:xxxxxxxx; rev:1;)
> 
> 
> My second proposal is to simply update sig 2008803,
> changed the description,
> updated the IP for www.whatsmyipaddress.com,
> updated the IP for getmyip.co.uk,
> added the IP's for whatismyip.com,
> and added a new reference,
> 
> alert tcp $HOME_NET any -> [66.114.124.141,81.144.213.187,
> 75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70,72.233.89.198,72.233.89.199,72.233.89.200]
> $HTTP_PORTS (msg:"ET TROJAN Possible Infection Obtaining Internet IP";
> flow:to_server; classtype:trojan-activity;
> reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A;
> reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml;
> reference:url,threatexpert.com/reports.aspx?find=whatismyip.com;
> threshold:type both, count 5, seconds 60, track by_src; sid:2008803; rev:3;)
> 
> Lastly, and this is my preference, perhaps an all new rule would be best
> here, sigs based on IP's are obviously the most efficient but it's a
> moving target.   What do ya'll think about making a rule using pcre that
> looks for all of those Host's?  I know that pcre's are inefficient but
> maybe it's the best way to go here.  I added an extra content search for
> "ip" since all the host's have that 2 letter string, perhaps that will
> lessen the load a bit.  thoughts?
> 
> Here is my proposal for that rule:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Possible Infection Obtaining Internet IP";
> flow:to_server,established;
> content:"Host|3A|"; nocase; content:"ip"; distance:0; nocase;
> pcre:"/^Host\x3a[^\r\n]*(whatismyip\x2Ecom|checkip\x2Edyndns\x2Eorg|getmyip\x2Eorg|whatsmyipaddress\x2Ecom|getmyip\x2Eco\x2Euk)/smi";
> reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A;
> reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml;
> reference:url,threatexpert.com/reports.aspx?find=whatismyip.com;
> classtype:trojan-activity; sid:XXXXXXXXXXXXXXXXXXXX; rev:1;)
> 
> Let me know what you think.  Also, are there other common ip-checking
> sites that should be added?
> 
> Cheers!
> Bob
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list