[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Holste, Martin C - DOA martin.holste at wisconsin.gov
Thu Jan 29 15:52:23 EST 2009


Good point, but academically speaking, can anyone say which is theoretically less load?  For instance, in the below example, which would be faster:

content:"POST "; depth:5; content:"/forms.cgi"; within:64; (or some other smallish integer to keep from scanning the entire flow)

or

content:"/forms.cgi HTTP"; depth:69;

or does uricontent beat them both?

Also, don't forget that Sourcefire added the http_method modifier so we could do:

content:"GET"; http_method; uricontent:"/forms.cgi";

In which case all of the processing would be done in the HTTP preproc.

I also thought I would mention that I've been seeing plenty of packets with URI's so large that they exceed the TCP MTU, and since the HTTP preproc does not do flows, it breaks signatures expecting to use content methods relying on the preproc when the pieces of the signature are not found in the same packet.

________________________________
From: Salusky, William [mailto:william.salusky at corp.aol.com]
Sent: Thursday, January 29, 2009 2:40 PM
To: Holste, Martin C - DOA; Emerging Threats Signatures
Subject: RE: [Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Careful about making an assumption that Gozi URI targets would be rooted to the web server root directory.  The following Gozi POST's would otherwise fall into the false negative category.

POST hXXp://91.211.65.11/cgi-bin/forms.cgi HTTP/1.1
POST hXXp://91.211.65.11/cgi-bin/pstore.cgi HTTP/1.1
POST hXXp://pull.assisback.com/cgi-bin/cert.cgi HTTP/1.1
POST hXXp://pull.assisback.com/cgi-bin/pstore.cgi HTTP/1.1
W

________________________________
From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of Holste, Martin C - DOA
Sent: Thursday, January 29, 2009 3:29 PM
To: Emerging Threats Signatures
Subject: Re: [Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

What if you combined the two parts in each rule into one content match:

content:"POST /forms.cgi"; depth:5;

I am hoping someone can set me straight on the Aho-Corasick optimization: which is better two short strings or one long string?  I think that with Boyer-Moore one long string is supposed to be better, but if I read the Snort docs by Steve Sturges correctly, the AC algorithm will use the longest content string in the rule as the primary trigger for the rest of the content matches (hence the need for the "fast_pattern" content modifier for rules).  So would this be less load than the above:

content:"POST "; depth:5; content:"/forms.cgi"; within:1;

And for that matter, is a nice and cleanly anchored content search less load than the HTTP preprocessor's uricontent?  If anyone has stats on that, I think it would be really helpful.

--Martin

________________________________
From: emerging-sigs-bounces at emergingthreats.net [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of dxp
Sent: Thursday, January 29, 2009 2:13 PM
To: Matt Jonkman
Cc: Emerging Threats Signatures
Subject: Re: [Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Good point on the PCRE.  It's worth breaking this one down into three rules instead:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Data Information Leakage (Forms)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/forms.cgi "; classtype:trojan-activity; sid:XXXXXX; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Data Information Leakage (PStore)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/pstore.cgi "; classtype:trojan-activity; sid:XXXXXX; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi Data Information Leakage (Cert)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/cert.cgi "; classtype:trojan-activity; sid:XXXXXX; rev:1;)


-

-=[ dxp ]=-
0xA3F3C6E3





On Thu, 2009-01-29 at 13:23 -0500, Matt Jonkman wrote:

We can't go pcre on this, it'd be just too high a load. Have to stay
with the 3 separate sigs for the main ruleset. but this would be useful
on boxes without load issues.

Matt

dxp wrote:
> I just double checked on one sample I have of this trojan from October
> 2008 and the UAS is embeded in the binary.  However, this may change in
> the future and then POSTs will be missed.
>
> I have the following sig applied on my production envrionment for
> several months now and without False Positives:
>
>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>     Gozi Form Data Information Leakage"; flow:established,to_server;
>     content:"POST "; depth:5;
>     pcre:"/\/(forms|pstore|cert)\.cgi\sHTTP\/1\.[01]\x0d\x0a/i";
>     classtype:trojan-activity; sid:XXXXXX; rev:1;)
>
>
> -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
>
> On Wed, 2009-01-28 at 01:50 -0700, Darren Spruell wrote:
>> Picked up a Gozi infected host chatting with controller and noticed a
>> few of the rules could do with an overhaul and a couple more could be
>> added in for POST operations not detected. The base rules were
>> 2003509/2003510/2003511 but I thought there was a couple of issues:
>>
>> - the rules have a content match where a trailing '?' is specified but
>> are then followed by a pcre where it is missing. The communication
>> I've got has no trailing question mark on the POSTs.
>> - the rules seem needlessly heavy on pcre. i substituted content
>> matches instead.
>>
>> # update to 2003511
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> Gozi Form Data Information Leakage"; flow:to_server,established;
>> content:"POST /cgi-bin/forms.cgi"; depth:23; content:"|0d
>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>> reference:url,www.secureworks.com/research/threats/gozi; sid:2003511;
>> rev:3;)
>> # new rule for POSTs of private store data
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> Gozi Private Store Information Leakage"; flow:to_server,established;
>> content:"POST /cgi-bin/pstore.cgi"; depth:24; content:"|0d
>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
>> rev:1;)
>> # new rule for POSTs of screenshot (JPEG) data
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> Gozi Screen Capture Information Leakage"; flow:to_server,established;
>> content:"POST /cgi-bin/ss.cgi"; depth:20; content:"|0d
>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
>> rev:1;)
>>
>>
>> There's room for improvement with tightening these down if needed by
>> anchoring the content matches or adding additional payload. Obfuscated
>> requests included below.
>>
>>
>> --- snip forms.cgi ---
>>   0x0000:  4500 02a1 1c37 4000 7a06 d19f 83c9 b0a0  E....7 at .z.......
>>   0x0010:  4dde 8e38 04f3 0050 a837 99c8 e53f 91bf  M..8...P.7...?..
>>   0x0020:  5018 fc00 21df 0000 504f 5354 202f 6367  P...!...POST./cg
>>   0x0030:  692d 6269 6e2f 666f 726d 732e 6367 6920  i-bin/forms.cgi.
>>   0x0040:  4854 5450 2f31 2e31 0d0a 436f 6e74 656e  HTTP/1.1..Conten
>>   0x0050:  742d 5479 7065 3a20 6d75 6c74 6970 6172  t-Type:.multipar
>>   0x0060:  742f 666f 726d 2d64 6174 613b 2062 6f75  t/form-data;.bou
>>   0x0070:  6e64 6172 793d 2d2d 2d2d 2d2d 2d2d 2d2d  ndary=----------
>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>   0x0090:  3031 3430 3062 3266 3038 6237 0d0a 5573  01400b2f08b7..Us
>>   0x00a0:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
>>   0x00b0:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
>>   0x00c0:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
>>   0x00d0:  646f 7773 204e 5420 352e 3129 0d0a 486f  dows.NT.5.1)..Ho
>>   0x00e0:  7374 3a20 3737 2e32 3232 2e31 3432 2e35  st:.77.222.142.5
>>   0x00f0:  360d 0a43 6f6e 7465 6e74 2d4c 656e 6774  6..Content-Lengt
>>   0x0100:  683a 2033 3538 0d0a 436f 6e6e 6563 7469  h:.358..Connecti
>>   0x0110:  6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a  on:.Keep-Alive..
>>   0x0120:  4361 6368 652d 436f 6e74 726f 6c3a 206e  Cache-Control:.n
>>   0x0130:  6f2d 6361 6368 650d 0a0d 0a2d 2d2d 2d2d  o-cache....-----
>>   0x0140:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>   0x0150:  2d2d 2d2d 2d2d 2d30 3134 3030 6232 6630  -------01400b2f0
>>   0x0160:  3862 370d 0a43 6f6e 7465 6e74 2d44 6973  8b7..Content-Dis
>>   0x0170:  706f 7369 7469 6f6e 3a20 666f 726d 2d64  position:.form-d
>>   0x0180:  6174 613b 206e 616d 653d 2275 706c 6f61  ata;.name="uploa
>>   0x0190:  645f 6669 6c65 223b 2066 696c 656e 616d  d_file";.filenam
>>   0x01a0:  653d 2233 3333 3732 3230 3734 392e 3030  e="3337220749.00
>>   0x01b0:  3032 220d 0a43 6f6e 7465 6e74 2d54 7970  02"..Content-Typ
>>   0x01c0:  653a 2061 7070 6c69 6361 7469 6f6e 2f6f  e:.application/o
>>   0x01d0:  6374 6574 2d73 7472 6561 6d0d 0a0d 0a55  ctet-stream....U
>>   0x01e0:  524c 3a20 6874 7470 733a 2f2f xxxx xxxx  RL:.https://xxxx
>>   0x01f0:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>   0x0200:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>   0x0210:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>   0x0220:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>   0x0230:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>   0x0240:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>   0x0250:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>   0x0260:  6564 6972 6563 742e 6e73 6625 3346 4f70  edirect.nsf%3FOp
>>   0x0270:  656e 0a0d 0a2d 2d2d 2d2d 2d2d 2d2d 2d2d  en...-----------
>>   0x0280:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>   0x0290:  2d30 3134 3030 6232 6630 3862 372d 2d0d  -01400b2f08b7--.
>>   0x02a0:  0a
>> --- snip ---
>>
>>
>> --- snip pstore.cgi ---
>>   0x0000:  4500 013d 01c6 4000 7a06 ed74 83c9 b0a0  E..=.. at .z..t....
>>   0x0010:  4dde 8e38 043b 0050 9534 9b64 59fd a004  M..8.;.P.4.dY...
>>   0x0020:  5018 fc00 c3af 0000 504f 5354 202f 6367  P.......POST./cg
>>   0x0030:  692d 6269 6e2f 7073 746f 7265 2e63 6769  i-bin/pstore.cgi
>>   0x0040:  2048 5454 502f 312e 310d 0a43 6f6e 7465  .HTTP/1.1..Conte
>>   0x0050:  6e74 2d54 7970 653a 206d 756c 7469 7061  nt-Type:.multipa
>>   0x0060:  7274 2f66 6f72 6d2d 6461 7461 3b20 626f  rt/form-data;.bo
>>   0x0070:  756e 6461 7279 3d2d 2d2d 2d2d 2d2d 2d2d  undary=---------
>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>   0x0090:  2d31 6535 3830 6534 3930 3537 350d 0a55  -1e580e490575..U
>>   0x00a0:  7365 722d 4167 656e 743a 204d 6f7a 696c  ser-Agent:.Mozil
>>   0x00b0:  6c61 2f34 2e30 2028 636f 6d70 6174 6962  la/4.0.(compatib
>>   0x00c0:  6c65 3b20 4d53 4945 2036 2e30 3b20 5769  le;.MSIE.6.0;.Wi
>>   0x00d0:  6e64 6f77 7320 4e54 2035 2e31 290d 0a48  ndows.NT.5.1)..H
>>   0x00e0:  6f73 743a 2037 372e 3232 322e 3134 322e  ost:.77.222.142.
>>   0x00f0:  3536 0d0a 436f 6e74 656e 742d 4c65 6e67  56..Content-Leng
>>   0x0100:  7468 3a20 3136 3630 0d0a 436f 6e6e 6563  th:.1660..Connec
>>   0x0110:  7469 6f6e 3a20 4b65 6570 2d41 6c69 7665  tion:.Keep-Alive
>>   0x0120:  0d0a 4361 6368 652d 436f 6e74 726f 6c3a  ..Cache-Control:
>>   0x0130:  206e 6f2d 6361 6368 650d 0a0d 0a         .no-cache....
>>
>>   0x0000:  4500 05dc 01c7 4000 7a06 e8d4 83c9 b0a0  E..... at .z.......
>>   0x0010:  4dde 8e38 043b 0050 9534 9c79 59fd a004  M..8.;.P.4.yY...
>>   0x0020:  5010 fc00 176e 0000 2d2d 2d2d 2d2d 2d2d  P....n..--------
>>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>   0x0040:  2d2d 2d2d 3165 3538 3065 3439 3035 3735  ----1e580e490575
>>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
>>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
>>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
>>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
>>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
>>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
>>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a 5552 4c3a  t-stream....URL:
>>   0x00d0:  2068 7474 703a 2f2f xxxx xxxx xx2e 636f  .http://xxxxx.co
>>   0x00e0:  6d2f 0a09 4c6f 6769 6e3a 20xx xxxx xxxx  m/..Login:.xxxxx
>>   0x00f0:  xxxx xx40 xxxx xxxx xxxx xxxx xxxx 2e63  xxx at xxxxxxxxxx.c<mailto:xxx at xxxxxxxxxx.c> <mailto:xxx at xxxxxxxxxx.c>
>>   0x0100:  6f6d 0a0a                                om..
>> --- snip ---
>>
>>
>>
>> --- snip ss.cgi ---
>>   0x0000:  4500 013a 7832 4000 7a06 770b 83c9 b0a0  E..:x2 at .z.w.....
>>   0x0010:  4dde 8e38 09b6 0050 3536 8438 b717 9b0b  M..8...P56.8....
>>   0x0020:  5018 fc00 0e6d 0000 504f 5354 202f 6367  P....m..POST./cg
>>   0x0030:  692d 6269 6e2f 7373 2e63 6769 2048 5454  i-bin/ss.cgi.HTT
>>   0x0040:  502f 312e 310d 0a43 6f6e 7465 6e74 2d54  P/1.1..Content-T
>>   0x0050:  7970 653a 206d 756c 7469 7061 7274 2f66  ype:.multipart/f
>>   0x0060:  6f72 6d2d 6461 7461 3b20 626f 756e 6461  orm-data;.bounda
>>   0x0070:  7279 3d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ry=-------------
>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d31 3634  -------------164
>>   0x0090:  6530 3465 3230 3163 360d 0a55 7365 722d  e04e201c6..User-
>>   0x00a0:  4167 656e 743a 204d 6f7a 696c 6c61 2f34  Agent:.Mozilla/4
>>   0x00b0:  2e30 2028 636f 6d70 6174 6962 6c65 3b20  .0.(compatible;.
>>   0x00c0:  4d53 4945 2036 2e30 3b20 5769 6e64 6f77  MSIE.6.0;.Window
>>   0x00d0:  7320 4e54 2035 2e31 290d 0a48 6f73 743a  s.NT.5.1)..Host:
>>   0x00e0:  2037 372e 3232 322e 3134 322e 3536 0d0a  .77.222.142.56..
>>   0x00f0:  436f 6e74 656e 742d 4c65 6e67 7468 3a20  Content-Length:.
>>   0x0100:  3835 3039 330d 0a43 6f6e 6e65 6374 696f  85093..Connectio
>>   0x0110:  6e3a 204b 6565 702d 416c 6976 650d 0a43  n:.Keep-Alive..C
>>   0x0120:  6163 6865 2d43 6f6e 7472 6f6c 3a20 6e6f  ache-Control:.no
>>   0x0130:  2d63 6163 6865 0d0a 0d0a                 -cache....
>>
>>   0x0000:  4500 05dc 7833 4000 7a06 7268 83c9 b0a0  E...x3 at .z.rh....
>>   0x0010:  4dde 8e38 09b6 0050 3536 854a b717 9b0b  M..8...P56.J....
>>   0x0020:  5010 fc00 9e4e 0000 2d2d 2d2d 2d2d 2d2d  P....N..--------
>>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>   0x0040:  2d2d 2d2d 3136 3465 3034 6532 3031 6336  ----164e04e201c6
>>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
>>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
>>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
>>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
>>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
>>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
>>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a ffd8 ffe0  t-stream........
>>   0x00d0:  0010 4a46 4946 0001 0101 0060 0060 0000  ..JFIF.....`.`..
>> --- snip ---
>>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net<mailto:Emerging-sigs at emergingthreats.net>
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090129/2aebdd99/attachment-0001.html


More information about the Emerging-sigs mailing list