[Emerging-Sigs] Hupigon sigs

Darren Spruell phatbuckett at gmail.com
Thu Jan 15 16:35:46 EST 2009


Have come across these goodies:

-----
....<GR>HCS..</GR><IM>25</IM><NA>IE03DTXP15633</NA><CS>....</CS><OS>WinXP</OS><CPU>2527
MHz</CPU><MEM>2004MB</MEM><SP>......</SP><BZ>........</BZ>

  0000: 4500 00ba b754 4000 7806 a2a0 c73f 955d  E..º·T at .x.¢ Ç?.]
  0010: 89a0 c20b 0702 2260 0635 7b8e 7787 b398  . Â..."`.5{.w.³.
  0020: 5018 ffe0 8ad1 0000 0000 008e 3c47 523e  P.ÿà.Ñ......<GR>
  0030: 4843 53d7 e93c 2f47 523e 3c49 4d3e 3235  HCS×é</GR><IM>25
  0040: 3c2f 494d 3e3c 4e41 3e49 4530 3344 5458  </IM><NA>IE03DTX
  0050: 5031 3536 3333 3c2f 4e41 3e3c 4353 3ec4  P15633</NA><CS>Ä
  0060: dacd f83c 2f43 533e 3c4f 533e 5769 6e58  ÚÍø</CS><OS>WinX
  0070: 503c 2f4f 533e 3c43 5055 3e32 3532 3720  P</OS><CPU>2527
  0080: 4d48 7a3c 2f43 5055 3e3c 4d45 4d3e 3230  MHz</CPU><MEM>20
  0090: 3034 4d42 3c2f 4d45 4d3e 3c53 503e cede  04MB</MEM><SP>ÎÞ
  00a0: cad3 c6b5 3c2f 5350 3e3c 425a 3eb1 b8d7  ÊÓƵ</SP><BZ>±¸×
  00b0: a2c4 dac8 dd3c 2f42 5a3e                 ¢ÄÚÈÝ</BZ>

...s<NAI>IE99LT4LD5T1S</NAI><CSI>....</CSI><OSI>WinXP</OSI><CPUI>225.50
MHz</CPUI><MEMI>1013MB</MEMI><BZI>12..9..</BZI>

  0000: 4500 009f 1f9c 0000 7706 9e13 ac1b 8de2  E.......w...¬..â
  0010: 89a0 c20b 0feb 1ff5 553c 91c4 a673 8cde  . Â..ë.õU<.Ħs.Þ
  0020: 5018 ffe0 091e 0000 0000 0073 3c4e 4149  P.ÿà.......s<NAI
  0030: 3e49 4539 394c 5434 4c44 3554 3153 3c2f  >IE99LT4LD5T1S</
  0040: 4e41 493e 3c43 5349 3ec4 dacd f83c 2f43  NAI><CSI>ÄÚÍø</C
  0050: 5349 3e3c 4f53 493e 5769 6e58 503c 2f4f  SI><OSI>WinXP</O
  0060: 5349 3e3c 4350 5549 3e32 3235 2e35 3020  SI><CPUI>225.50
  0070: 4d48 7a3c 2f43 5055 493e 3c4d 454d 493e  MHz</CPUI><MEMI>
  0080: 3130 3133 4d42 3c2f 4d45 4d49 3e3c 425a  1013MB</MEMI><BZ
  0090: 493e 3132 d4c2 39c8 d53c 2f42 5a49 3e    I>12ÔÂ9ÈÕ</BZI>

-----

I caught the documentation on this at
http://doc.emergingthreats.net/bin/view/Main/TrojanDropper497. I see
the malware identified as Hupigon from other sources. Looks like
2007918 is designed to match the first one:

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
content:"|00 00 00 83|"; depth:4; content:"<CPU>"; content:"</CPU><";
distance:0; content:"<MEM>"; content:"</MEM><"; distance:0;
classtype:trojan-activity;
reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497;
sid:2007918; rev:1;)

...although I have to wonder if the match would work correctly:
wouldn't the 'content:"<CPU>"; content:"</CPU><"; distance:0;' matches
only hit on '<CPU></CPU><' due to the distance:0? (i.e. empty tag
value?)

I've also extracted out the first 4 bytes of payload for each request
in our pcaps and the fourth byte varies (counts included to illustrate
frequency):

2120   00 00 00 8e
1815   00 00 00 8d
1463   00 00 00 8b
 632   00 00 00 8c
 209   00 00 00 8f
 182   00 00 00 95
  26   00 00 00 8a
  11   00 00 00 94

I don't know if this means that the fourth byte is "too" variable to
match on or if we can just pcre the values we've encountered above (or
a range, or whatever). At any rate the existing sig doesn't catch any
of the cases we've encountered.

The second variant adds an "I" to the tag names and changes the first
four bytes to |00 00 00 72|, |00 00 00 73|,  and |00 00 00 74| for the
communications we've seen. By frequency:

 218   00 00 00 73
  95   00 00 00 74
  64   00 00 00 72

A single host sends packets with any of these values:

  00 00 00 72 3c 4e 41 49    3e 49 45 39 39 4c 54 34    ...r<NAI>IE99LT4
  4c 44 35 54 31 53 3c 2f    4e 41 49 3e 3c 43 53 49    LD5T1S</NAI><CSI
  3e c4 da cd f8 3c 2f 43    53 49 3e 3c 4f 53 49 3e    >ÄÚÍø</CSI><OSI>
  57 69 6e 58 50 3c 2f 4f    53 49 3e 3c 43 50 55 49    WinXP</OSI><CPUI
  3e 34 36 2e 35 39 20 4d    48 7a 3c 2f 43 50 55 49    >46.59 MHz</CPUI
  3e 3c 4d 45 4d 49 3e 31    30 31 33 4d 42 3c 2f 4d    ><MEMI>1013MB</M
  45 4d 49 3e 3c 42 5a 49    3e 31 32 d4 c2 39 c8 d5    EMI><BZI>12ÔÂ9ÈÕ
  3c 2f 42 5a 49 3e                                     </BZI>

  00 00 00 73 3c 4e 41 49    3e 49 45 39 39 4c 54 34    ...s<NAI>IE99LT4
  4c 44 35 54 31 53 3c 2f    4e 41 49 3e 3c 43 53 49    LD5T1S</NAI><CSI
  3e c4 da cd f8 3c 2f 43    53 49 3e 3c 4f 53 49 3e    >ÄÚÍø</CSI><OSI>
  57 69 6e 58 50 3c 2f 4f    53 49 3e 3c 43 50 55 49    WinXP</OSI><CPUI
  3e 33 36 38 2e 32 33 20    4d 48 7a 3c 2f 43 50 55    >368.23 MHz</CPU
  49 3e 3c 4d 45 4d 49 3e    31 30 31 33 4d 42 3c 2f    I><MEMI>1013MB</
  4d 45 4d 49 3e 3c 42 5a    49 3e 31 32 d4 c2 39 c8    MEMI><BZI>12ÔÂ9È
  d5 3c 2f 42 5a 49 3e                                  Õ</BZI>

  00 00 00 74 3c 4e 41 49    3e 49 45 39 39 4c 54 34    ...t<NAI>IE99LT4
  4c 44 35 54 31 53 3c 2f    4e 41 49 3e 3c 43 53 49    LD5T1S</NAI><CSI
  3e c4 da cd f8 3c 2f 43    53 49 3e 3c 4f 53 49 3e    >ÄÚÍø</CSI><OSI>
  57 69 6e 58 50 3c 2f 4f    53 49 3e 3c 43 50 55 49    WinXP</OSI><CPUI
  3e 31 31 38 31 2e 30 37    20 4d 48 7a 3c 2f 43 50    >1181.07 MHz</CP
  55 49 3e 3c 4d 45 4d 49    3e 31 30 31 33 4d 42 3c    UI><MEMI>1013MB<
  2f 4d 45 4d 49 3e 3c 42    5a 49 3e 31 32 d4 c2 39    /MEMI><BZI>12ÔÂ9
  c8 d5 3c 2f 42 5a 49 3e                               ÈÕ</BZI>


So, do these work?

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
Dropper-497 (Yumato) System Stats Report"; flow:established,to_server;
content:"|00 00 00|"; depth:3; content:"<CPU>"; content:"</CPU><";
content:"<MEM>"; content:"</MEM><";
pcre:"/^\x00\x00\x00([\x8a-\x8f]|[\x94-\x95])/";
classtype:trojan-activity;
reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497;
sid:2007918; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN
Dropper-497 (Yumato) System Stats Report (I-variant)";
flow:established,to_server; content:"|00 00 00|"; depth:3;
content:"<CPUI>"; content:"</CPUI><"; content:"<MEMI>";
content:"</MEMI><"; pcre:"/^\x00\x00\x00(\x72|\x73|\x74)/";
classtype:trojan-activity;
reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497;
sid:XXXXXXX; rev:1;)

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list