[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Matt Jonkman jonkman at jonkmans.com
Wed Jan 28 09:11:59 EST 2009


Very good points Darren. I've modified all 3 similar to your thoughts:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Gozi Certificate Information Leakage"; flow:to_server,established;
content:"POST /cgi-bin/certs.cgi"; depth:23; uricontent:"user_id=";
uricontent:"&version_id="; content:"|0d 0a|Content-Type: multipart/f
orm-data\; boundary="; content:"|0d 0a|User-Agent\: Mozilla/4.0
(compatible\; MSIE 6.0\; Windows NT 5.1)"; content:"|0d 0a|Host\: "; cla
sstype:trojan-activity;
reference:url,www.secureworks.com/research/threats/gozi; sid:2003509;
rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Gozi Registration"; flow:to_server,established; content:"GET /cgi-b
in/options.cgi"; depth:24; uricontent:"user_id=";
uricontent:"&version_id="; content:"|0d 0a|User-Agent\: Mozilla/4.0
(compatible\; MSIE
 6.0\; Windows NT 5.1)"; classtype:trojan-activity;
reference:url,www.secureworks.com/research/threats/gozi; sid:2003510;
rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Gozi Form Data Information Leakage"; flow:to_server,established; co
ntent:"POST /cgi-bin/forms.cgi"; depth:23; uricontent:"user_id=";
content:"|0d 0a|Content-Type: multipart/form-data\; boundary="; conten
t:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT
5.1)"; conten:"|0d 0a|Host\: "; classtype:trojan-activity; refere
nce:url,www.secureworks.com/research/threats/gozi; sid:2003511; rev:3;)

Look good to all?

Matt

Darren Spruell wrote:
> On Wed, Jan 28, 2009 at 1:50 AM, Darren Spruell <phatbuckett at gmail.com> wrote:
>> Picked up a Gozi infected host chatting with controller and noticed a
>> few of the rules could do with an overhaul
> 
> Couple of other observations...
> 
> 2003510 "Gozi Registration" looks to be covered by 2002854 "Reporting
> User Activity." Actually 2003510 should be watching for requests to
> /cgi-bin/options.cgi but doesn't pick up the requests I've captured
> due to the pcre not allowing for any value to appear in the
> 'passphrase' parameter. 2002854 is general enough to pick up requests
> to options.cgi as well as cmd.cgi. Since 2003510 essentially
> duplicates another rule, seems to be broken, and is needlessly heavy
> on pcre, should it be deleted?
> 
> Sample requests for options.cgi and cmd.cgi; both detected by 2002854:
> 
> -----
> GET /cgi-bin/options.cgi?user_id=3337220749&socks=0&version_id=0002&passphrase=fkjvhsdvlksdhvlsd&crc=00000000&uptime=00:00:00:59
> HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Host: 77.222.142.56
> -----
> GET /cgi-bin/cmd.cgi?user_id=3337220749&version_id=0002&crc=00000000&passphrase=fkvjhdsvlkdshvlsd
> HTTP/1.1
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Host: 77.222.142.56
> -----
> 
> 2003509 is like 2003511 (needless pcre and will probably never match
> due to the first content option specifying a '?' but the following
> pcre missing it.)
> 
> # update to 2003509
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Gozi Certificate Information Leakage"; flow:to_server,established;
> content:"POST /cgi-bin/certs.cgi"; depth:23; content:"|0d
> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
> content:"|0d 0a|Host\: "; classtype:trojan-activity;
> reference:url,www.secureworks.com/research/threats/gozi; sid:2003509;
> rev:3;)
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list