[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Darren Spruell phatbuckett at gmail.com
Wed Jan 28 03:50:05 EST 2009


Picked up a Gozi infected host chatting with controller and noticed a
few of the rules could do with an overhaul and a couple more could be
added in for POST operations not detected. The base rules were
2003509/2003510/2003511 but I thought there was a couple of issues:

- the rules have a content match where a trailing '?' is specified but
are then followed by a pcre where it is missing. The communication
I've got has no trailing question mark on the POSTs.
- the rules seem needlessly heavy on pcre. i substituted content
matches instead.

# update to 2003511
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Gozi Form Data Information Leakage"; flow:to_server,established;
content:"POST /cgi-bin/forms.cgi"; depth:23; content:"|0d
0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
content:"|0d 0a|Host\: "; classtype:trojan-activity;
reference:url,www.secureworks.com/research/threats/gozi; sid:2003511;
rev:3;)
# new rule for POSTs of private store data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Gozi Private Store Information Leakage"; flow:to_server,established;
content:"POST /cgi-bin/pstore.cgi"; depth:24; content:"|0d
0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
content:"|0d 0a|Host\: "; classtype:trojan-activity;
reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
rev:1;)
# new rule for POSTs of screenshot (JPEG) data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Gozi Screen Capture Information Leakage"; flow:to_server,established;
content:"POST /cgi-bin/ss.cgi"; depth:20; content:"|0d
0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
content:"|0d 0a|Host\: "; classtype:trojan-activity;
reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
rev:1;)


There's room for improvement with tightening these down if needed by
anchoring the content matches or adding additional payload. Obfuscated
requests included below.


--- snip forms.cgi ---
  0x0000:  4500 02a1 1c37 4000 7a06 d19f 83c9 b0a0  E....7 at .z.......
  0x0010:  4dde 8e38 04f3 0050 a837 99c8 e53f 91bf  M..8...P.7...?..
  0x0020:  5018 fc00 21df 0000 504f 5354 202f 6367  P...!...POST./cg
  0x0030:  692d 6269 6e2f 666f 726d 732e 6367 6920  i-bin/forms.cgi.
  0x0040:  4854 5450 2f31 2e31 0d0a 436f 6e74 656e  HTTP/1.1..Conten
  0x0050:  742d 5479 7065 3a20 6d75 6c74 6970 6172  t-Type:.multipar
  0x0060:  742f 666f 726d 2d64 6174 613b 2062 6f75  t/form-data;.bou
  0x0070:  6e64 6172 793d 2d2d 2d2d 2d2d 2d2d 2d2d  ndary=----------
  0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
  0x0090:  3031 3430 3062 3266 3038 6237 0d0a 5573  01400b2f08b7..Us
  0x00a0:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
  0x00b0:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
  0x00c0:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
  0x00d0:  646f 7773 204e 5420 352e 3129 0d0a 486f  dows.NT.5.1)..Ho
  0x00e0:  7374 3a20 3737 2e32 3232 2e31 3432 2e35  st:.77.222.142.5
  0x00f0:  360d 0a43 6f6e 7465 6e74 2d4c 656e 6774  6..Content-Lengt
  0x0100:  683a 2033 3538 0d0a 436f 6e6e 6563 7469  h:.358..Connecti
  0x0110:  6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a  on:.Keep-Alive..
  0x0120:  4361 6368 652d 436f 6e74 726f 6c3a 206e  Cache-Control:.n
  0x0130:  6f2d 6361 6368 650d 0a0d 0a2d 2d2d 2d2d  o-cache....-----
  0x0140:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
  0x0150:  2d2d 2d2d 2d2d 2d30 3134 3030 6232 6630  -------01400b2f0
  0x0160:  3862 370d 0a43 6f6e 7465 6e74 2d44 6973  8b7..Content-Dis
  0x0170:  706f 7369 7469 6f6e 3a20 666f 726d 2d64  position:.form-d
  0x0180:  6174 613b 206e 616d 653d 2275 706c 6f61  ata;.name="uploa
  0x0190:  645f 6669 6c65 223b 2066 696c 656e 616d  d_file";.filenam
  0x01a0:  653d 2233 3333 3732 3230 3734 392e 3030  e="3337220749.00
  0x01b0:  3032 220d 0a43 6f6e 7465 6e74 2d54 7970  02"..Content-Typ
  0x01c0:  653a 2061 7070 6c69 6361 7469 6f6e 2f6f  e:.application/o
  0x01d0:  6374 6574 2d73 7472 6561 6d0d 0a0d 0a55  ctet-stream....U
  0x01e0:  524c 3a20 6874 7470 733a 2f2f xxxx xxxx  RL:.https://xxxx
  0x01f0:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
  0x0200:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
  0x0210:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
  0x0220:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
  0x0230:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
  0x0240:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
  0x0250:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
  0x0260:  6564 6972 6563 742e 6e73 6625 3346 4f70  edirect.nsf%3FOp
  0x0270:  656e 0a0d 0a2d 2d2d 2d2d 2d2d 2d2d 2d2d  en...-----------
  0x0280:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
  0x0290:  2d30 3134 3030 6232 6630 3862 372d 2d0d  -01400b2f08b7--.
  0x02a0:  0a
--- snip ---


--- snip pstore.cgi ---
  0x0000:  4500 013d 01c6 4000 7a06 ed74 83c9 b0a0  E..=.. at .z..t....
  0x0010:  4dde 8e38 043b 0050 9534 9b64 59fd a004  M..8.;.P.4.dY...
  0x0020:  5018 fc00 c3af 0000 504f 5354 202f 6367  P.......POST./cg
  0x0030:  692d 6269 6e2f 7073 746f 7265 2e63 6769  i-bin/pstore.cgi
  0x0040:  2048 5454 502f 312e 310d 0a43 6f6e 7465  .HTTP/1.1..Conte
  0x0050:  6e74 2d54 7970 653a 206d 756c 7469 7061  nt-Type:.multipa
  0x0060:  7274 2f66 6f72 6d2d 6461 7461 3b20 626f  rt/form-data;.bo
  0x0070:  756e 6461 7279 3d2d 2d2d 2d2d 2d2d 2d2d  undary=---------
  0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
  0x0090:  2d31 6535 3830 6534 3930 3537 350d 0a55  -1e580e490575..U
  0x00a0:  7365 722d 4167 656e 743a 204d 6f7a 696c  ser-Agent:.Mozil
  0x00b0:  6c61 2f34 2e30 2028 636f 6d70 6174 6962  la/4.0.(compatib
  0x00c0:  6c65 3b20 4d53 4945 2036 2e30 3b20 5769  le;.MSIE.6.0;.Wi
  0x00d0:  6e64 6f77 7320 4e54 2035 2e31 290d 0a48  ndows.NT.5.1)..H
  0x00e0:  6f73 743a 2037 372e 3232 322e 3134 322e  ost:.77.222.142.
  0x00f0:  3536 0d0a 436f 6e74 656e 742d 4c65 6e67  56..Content-Leng
  0x0100:  7468 3a20 3136 3630 0d0a 436f 6e6e 6563  th:.1660..Connec
  0x0110:  7469 6f6e 3a20 4b65 6570 2d41 6c69 7665  tion:.Keep-Alive
  0x0120:  0d0a 4361 6368 652d 436f 6e74 726f 6c3a  ..Cache-Control:
  0x0130:  206e 6f2d 6361 6368 650d 0a0d 0a         .no-cache....

  0x0000:  4500 05dc 01c7 4000 7a06 e8d4 83c9 b0a0  E..... at .z.......
  0x0010:  4dde 8e38 043b 0050 9534 9c79 59fd a004  M..8.;.P.4.yY...
  0x0020:  5010 fc00 176e 0000 2d2d 2d2d 2d2d 2d2d  P....n..--------
  0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
  0x0040:  2d2d 2d2d 3165 3538 3065 3439 3035 3735  ----1e580e490575
  0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
  0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
  0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
  0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
  0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
  0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
  0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
  0x00c0:  742d 7374 7265 616d 0d0a 0d0a 5552 4c3a  t-stream....URL:
  0x00d0:  2068 7474 703a 2f2f xxxx xxxx xx2e 636f  .http://xxxxx.co
  0x00e0:  6d2f 0a09 4c6f 6769 6e3a 20xx xxxx xxxx  m/..Login:.xxxxx
  0x00f0:  xxxx xx40 xxxx xxxx xxxx xxxx xxxx 2e63  xxx at xxxxxxxxxx.c
  0x0100:  6f6d 0a0a                                om..
--- snip ---



--- snip ss.cgi ---
  0x0000:  4500 013a 7832 4000 7a06 770b 83c9 b0a0  E..:x2 at .z.w.....
  0x0010:  4dde 8e38 09b6 0050 3536 8438 b717 9b0b  M..8...P56.8....
  0x0020:  5018 fc00 0e6d 0000 504f 5354 202f 6367  P....m..POST./cg
  0x0030:  692d 6269 6e2f 7373 2e63 6769 2048 5454  i-bin/ss.cgi.HTT
  0x0040:  502f 312e 310d 0a43 6f6e 7465 6e74 2d54  P/1.1..Content-T
  0x0050:  7970 653a 206d 756c 7469 7061 7274 2f66  ype:.multipart/f
  0x0060:  6f72 6d2d 6461 7461 3b20 626f 756e 6461  orm-data;.bounda
  0x0070:  7279 3d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ry=-------------
  0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d31 3634  -------------164
  0x0090:  6530 3465 3230 3163 360d 0a55 7365 722d  e04e201c6..User-
  0x00a0:  4167 656e 743a 204d 6f7a 696c 6c61 2f34  Agent:.Mozilla/4
  0x00b0:  2e30 2028 636f 6d70 6174 6962 6c65 3b20  .0.(compatible;.
  0x00c0:  4d53 4945 2036 2e30 3b20 5769 6e64 6f77  MSIE.6.0;.Window
  0x00d0:  7320 4e54 2035 2e31 290d 0a48 6f73 743a  s.NT.5.1)..Host:
  0x00e0:  2037 372e 3232 322e 3134 322e 3536 0d0a  .77.222.142.56..
  0x00f0:  436f 6e74 656e 742d 4c65 6e67 7468 3a20  Content-Length:.
  0x0100:  3835 3039 330d 0a43 6f6e 6e65 6374 696f  85093..Connectio
  0x0110:  6e3a 204b 6565 702d 416c 6976 650d 0a43  n:.Keep-Alive..C
  0x0120:  6163 6865 2d43 6f6e 7472 6f6c 3a20 6e6f  ache-Control:.no
  0x0130:  2d63 6163 6865 0d0a 0d0a                 -cache....

  0x0000:  4500 05dc 7833 4000 7a06 7268 83c9 b0a0  E...x3 at .z.rh....
  0x0010:  4dde 8e38 09b6 0050 3536 854a b717 9b0b  M..8...P56.J....
  0x0020:  5010 fc00 9e4e 0000 2d2d 2d2d 2d2d 2d2d  P....N..--------
  0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
  0x0040:  2d2d 2d2d 3136 3465 3034 6532 3031 6336  ----164e04e201c6
  0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
  0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
  0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
  0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
  0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
  0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
  0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
  0x00c0:  742d 7374 7265 616d 0d0a 0d0a ffd8 ffe0  t-stream........
  0x00d0:  0010 4a46 4946 0001 0101 0060 0060 0000  ..JFIF.....`.`..
--- snip ---

-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list