[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Darren Spruell phatbuckett at gmail.com
Wed Jan 28 05:45:48 EST 2009

On Wed, Jan 28, 2009 at 1:50 AM, Darren Spruell <phatbuckett at gmail.com> wrote:
> Picked up a Gozi infected host chatting with controller and noticed a
> few of the rules could do with an overhaul

Couple of other observations...

2003510 "Gozi Registration" looks to be covered by 2002854 "Reporting
User Activity." Actually 2003510 should be watching for requests to
/cgi-bin/options.cgi but doesn't pick up the requests I've captured
due to the pcre not allowing for any value to appear in the
'passphrase' parameter. 2002854 is general enough to pick up requests
to options.cgi as well as cmd.cgi. Since 2003510 essentially
duplicates another rule, seems to be broken, and is needlessly heavy
on pcre, should it be deleted?

Sample requests for options.cgi and cmd.cgi; both detected by 2002854:

GET /cgi-bin/options.cgi?user_id=3337220749&socks=0&version_id=0002&passphrase=fkjvhsdvlksdhvlsd&crc=00000000&uptime=00:00:00:59
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
GET /cgi-bin/cmd.cgi?user_id=3337220749&version_id=0002&crc=00000000&passphrase=fkvjhdsvlkdshvlsd
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

2003509 is like 2003511 (needless pcre and will probably never match
due to the first content option specifying a '?' but the following
pcre missing it.)

# update to 2003509
Gozi Certificate Information Leakage"; flow:to_server,established;
content:"POST /cgi-bin/certs.cgi"; depth:23; content:"|0d
0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
content:"|0d 0a|Host\: "; classtype:trojan-activity;
reference:url,www.secureworks.com/research/threats/gozi; sid:2003509;

Darren Spruell
phatbuckett at gmail.com

More information about the Emerging-sigs mailing list