[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

dxp dxp2532 at gmail.com
Fri Jan 30 14:47:49 EST 2009


Martin,
    I have posted your question to Snort Users mailing list.  Perhaps
someone there will explain in detail.
-  

-=[ dxp ]=-
0xA3F3C6E3



On Thu, 2009-01-29 at 14:52 -0600, Holste, Martin C - DOA wrote:
> Good point, but academically speaking, can anyone say which is
> theoretically less load?  For instance, in the below example, which
> would be faster:
>  
> content:"POST "; depth:5; content:"/forms.cgi"; within:64; (or some
> other smallish integer to keep from scanning the entire flow)
>  
> or
>  
> content:"/forms.cgi HTTP"; depth:69;
>  
> or does uricontent beat them both?
>  
> Also, don't forget that Sourcefire added the http_method modifier so
> we could do:
>  
> content:"GET"; http_method; uricontent:"/forms.cgi";
>  
> In which case all of the processing would be done in the HTTP preproc.
>  
> I also thought I would mention that I've been seeing plenty of packets
> with URI's so large that they exceed the TCP MTU, and since the HTTP
> preproc does not do flows, it breaks signatures expecting to
> use content methods relying on the preproc when the pieces of the
> signature are not found in the same packet.
> 
> 
> 
> ______________________________________________________________________
> From: Salusky, William [mailto:william.salusky at corp.aol.com] 
> Sent: Thursday, January 29, 2009 2:40 PM
> To: Holste, Martin C - DOA; Emerging Threats Signatures
> Subject: RE: [Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new
> 
> 
> 
> Careful about making an assumption that Gozi URI targets would be
> rooted to the web server root directory.  The following Gozi POST's
> would otherwise fall into the false negative category.
>  
> POST hXXp://91.211.65.11/cgi-bin/forms.cgi HTTP/1.1
> POST hXXp://91.211.65.11/cgi-bin/pstore.cgi HTTP/1.1
> POST hXXp://pull.assisback.com/cgi-bin/cert.cgi HTTP/1.1
> POST hXXp://pull.assisback.com/cgi-bin/pstore.cgi HTTP/1.1
> 
> W
> 
> 
> 
> 
> ______________________________________________________________________
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of
> Holste, Martin C - DOA
> Sent: Thursday, January 29, 2009 3:29 PM
> To: Emerging Threats Signatures
> Subject: Re: [Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new
> 
> 
> 
> What if you combined the two parts in each rule into one content
> match:
>  
> content:"POST /forms.cgi"; depth:5;
>  
> I am hoping someone can set me straight on the Aho-Corasick
> optimization: which is better two short strings or one long string?
> I think that with Boyer-Moore one long string is supposed to be
> better, but if I read the Snort docs by Steve Sturges correctly, the
> AC algorithm will use the longest content string in the rule as the
> primary trigger for the rest of the content matches (hence the need
> for the "fast_pattern" content modifier for rules).  So would this be
> less load than the above:
>  
> content:"POST "; depth:5; content:"/forms.cgi"; within:1;
>  
> And for that matter, is a nice and cleanly anchored content search
> less load than the HTTP preprocessor's uricontent?  If anyone has
> stats on that, I think it would be really helpful.
>  
> --Martin
> 
> 
> 
> ______________________________________________________________________
> From: emerging-sigs-bounces at emergingthreats.net
> [mailto:emerging-sigs-bounces at emergingthreats.net] On Behalf Of dxp
> Sent: Thursday, January 29, 2009 2:13 PM
> To: Matt Jonkman
> Cc: Emerging Threats Signatures
> Subject: Re: [Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new
> 
> 
> 
> 
> Good point on the PCRE.  It's worth breaking this one down into three
> rules instead:
> 
> 
>         alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>         TROJAN Gozi Data Information Leakage (Forms)";
>         flow:established,to_server; content:"POST "; depth:5;
>         uricontent:"/forms.cgi "; classtype:trojan-activity;
>         sid:XXXXXX; rev:1;)
>         
>         alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>         TROJAN Gozi Data Information Leakage (PStore)";
>         flow:established,to_server; content:"POST "; depth:5;
>         uricontent:"/pstore.cgi "; classtype:trojan-activity;
>         sid:XXXXXX; rev:1;)
>         
>         alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>         TROJAN Gozi Data Information Leakage (Cert)";
>         flow:established,to_server; content:"POST "; depth:5;
>         uricontent:"/cert.cgi "; classtype:trojan-activity;
>         sid:XXXXXX; rev:1;)
> 
> 
> -  
> 
> -=[ dxp ]=-
> 0xA3F3C6E3
> 
> 
> 
> On Thu, 2009-01-29 at 13:23 -0500, Matt Jonkman wrote: 
> 
> > We can't go pcre on this, it'd be just too high a load. Have to stay
> > with the 3 separate sigs for the main ruleset. but this would be useful
> > on boxes without load issues.
> > 
> > Matt
> > 
> > dxp wrote:
> > > I just double checked on one sample I have of this trojan from October
> > > 2008 and the UAS is embeded in the binary.  However, this may change in
> > > the future and then POSTs will be missed.
> > > 
> > > I have the following sig applied on my production envrionment for
> > > several months now and without False Positives:
> > > 
> > >     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > >     Gozi Form Data Information Leakage"; flow:established,to_server;
> > >     content:"POST "; depth:5;
> > >     pcre:"/\/(forms|pstore|cert)\.cgi\sHTTP\/1\.[01]\x0d\x0a/i";
> > >     classtype:trojan-activity; sid:XXXXXX; rev:1;)
> > > 
> > > 
> > > -  
> > > 
> > > -=[ dxp ]=-
> > > 0xA3F3C6E3
> > > 
> > > 
> > > 
> > > 
> > > On Wed, 2009-01-28 at 01:50 -0700, Darren Spruell wrote:
> > >> Picked up a Gozi infected host chatting with controller and noticed a
> > >> few of the rules could do with an overhaul and a couple more could be
> > >> added in for POST operations not detected. The base rules were
> > >> 2003509/2003510/2003511 but I thought there was a couple of issues:
> > >>
> > >> - the rules have a content match where a trailing '?' is specified but
> > >> are then followed by a pcre where it is missing. The communication
> > >> I've got has no trailing question mark on the POSTs.
> > >> - the rules seem needlessly heavy on pcre. i substituted content
> > >> matches instead.
> > >>
> > >> # update to 2003511
> > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > >> Gozi Form Data Information Leakage"; flow:to_server,established;
> > >> content:"POST /cgi-bin/forms.cgi"; depth:23; content:"|0d
> > >> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
> > >> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
> > >> content:"|0d 0a|Host\: "; classtype:trojan-activity;
> > >> reference:url,www.secureworks.com/research/threats/gozi; sid:2003511;
> > >> rev:3;)
> > >> # new rule for POSTs of private store data
> > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > >> Gozi Private Store Information Leakage"; flow:to_server,established;
> > >> content:"POST /cgi-bin/pstore.cgi"; depth:24; content:"|0d
> > >> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
> > >> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
> > >> content:"|0d 0a|Host\: "; classtype:trojan-activity;
> > >> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
> > >> rev:1;)
> > >> # new rule for POSTs of screenshot (JPEG) data
> > >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > >> Gozi Screen Capture Information Leakage"; flow:to_server,established;
> > >> content:"POST /cgi-bin/ss.cgi"; depth:20; content:"|0d
> > >> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
> > >> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
> > >> content:"|0d 0a|Host\: "; classtype:trojan-activity;
> > >> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
> > >> rev:1;)
> > >>
> > >>
> > >> There's room for improvement with tightening these down if needed by
> > >> anchoring the content matches or adding additional payload. Obfuscated
> > >> requests included below.
> > >>
> > >>
> > >> --- snip forms.cgi ---
> > >>   0x0000:  4500 02a1 1c37 4000 7a06 d19f 83c9 b0a0  E....7 at .z.......
> > >>   0x0010:  4dde 8e38 04f3 0050 a837 99c8 e53f 91bf  M..8...P.7...?..
> > >>   0x0020:  5018 fc00 21df 0000 504f 5354 202f 6367  P...!...POST./cg
> > >>   0x0030:  692d 6269 6e2f 666f 726d 732e 6367 6920  i-bin/forms.cgi.
> > >>   0x0040:  4854 5450 2f31 2e31 0d0a 436f 6e74 656e  HTTP/1.1..Conten
> > >>   0x0050:  742d 5479 7065 3a20 6d75 6c74 6970 6172  t-Type:.multipar
> > >>   0x0060:  742f 666f 726d 2d64 6174 613b 2062 6f75  t/form-data;.bou
> > >>   0x0070:  6e64 6172 793d 2d2d 2d2d 2d2d 2d2d 2d2d  ndary=----------
> > >>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
> > >>   0x0090:  3031 3430 3062 3266 3038 6237 0d0a 5573  01400b2f08b7..Us
> > >>   0x00a0:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
> > >>   0x00b0:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
> > >>   0x00c0:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
> > >>   0x00d0:  646f 7773 204e 5420 352e 3129 0d0a 486f  dows.NT.5.1)..Ho
> > >>   0x00e0:  7374 3a20 3737 2e32 3232 2e31 3432 2e35  st:.77.222.142.5
> > >>   0x00f0:  360d 0a43 6f6e 7465 6e74 2d4c 656e 6774  6..Content-Lengt
> > >>   0x0100:  683a 2033 3538 0d0a 436f 6e6e 6563 7469  h:.358..Connecti
> > >>   0x0110:  6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a  on:.Keep-Alive..
> > >>   0x0120:  4361 6368 652d 436f 6e74 726f 6c3a 206e  Cache-Control:.n
> > >>   0x0130:  6f2d 6361 6368 650d 0a0d 0a2d 2d2d 2d2d  o-cache....-----
> > >>   0x0140:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
> > >>   0x0150:  2d2d 2d2d 2d2d 2d30 3134 3030 6232 6630  -------01400b2f0
> > >>   0x0160:  3862 370d 0a43 6f6e 7465 6e74 2d44 6973  8b7..Content-Dis
> > >>   0x0170:  706f 7369 7469 6f6e 3a20 666f 726d 2d64  position:.form-d
> > >>   0x0180:  6174 613b 206e 616d 653d 2275 706c 6f61  ata;.name="uploa
> > >>   0x0190:  645f 6669 6c65 223b 2066 696c 656e 616d  d_file";.filenam
> > >>   0x01a0:  653d 2233 3333 3732 3230 3734 392e 3030  e="3337220749.00
> > >>   0x01b0:  3032 220d 0a43 6f6e 7465 6e74 2d54 7970  02"..Content-Typ
> > >>   0x01c0:  653a 2061 7070 6c69 6361 7469 6f6e 2f6f  e:.application/o
> > >>   0x01d0:  6374 6574 2d73 7472 6561 6d0d 0a0d 0a55  ctet-stream....U
> > >>   0x01e0:  524c 3a20 6874 7470 733a 2f2f xxxx xxxx  RL:.https://xxxx
> > >>   0x01f0:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
> > >>   0x0200:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
> > >>   0x0210:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
> > >>   0x0220:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
> > >>   0x0230:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
> > >>   0x0240:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
> > >>   0x0250:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
> > >>   0x0260:  6564 6972 6563 742e 6e73 6625 3346 4f70  edirect.nsf%3FOp
> > >>   0x0270:  656e 0a0d 0a2d 2d2d 2d2d 2d2d 2d2d 2d2d  en...-----------
> > >>   0x0280:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
> > >>   0x0290:  2d30 3134 3030 6232 6630 3862 372d 2d0d  -01400b2f08b7--.
> > >>   0x02a0:  0a
> > >> --- snip ---
> > >>
> > >>
> > >> --- snip pstore.cgi ---
> > >>   0x0000:  4500 013d 01c6 4000 7a06 ed74 83c9 b0a0  E..=.. at .z..t....
> > >>   0x0010:  4dde 8e38 043b 0050 9534 9b64 59fd a004  M..8.;.P.4.dY...
> > >>   0x0020:  5018 fc00 c3af 0000 504f 5354 202f 6367  P.......POST./cg
> > >>   0x0030:  692d 6269 6e2f 7073 746f 7265 2e63 6769  i-bin/pstore.cgi
> > >>   0x0040:  2048 5454 502f 312e 310d 0a43 6f6e 7465  .HTTP/1.1..Conte
> > >>   0x0050:  6e74 2d54 7970 653a 206d 756c 7469 7061  nt-Type:.multipa
> > >>   0x0060:  7274 2f66 6f72 6d2d 6461 7461 3b20 626f  rt/form-data;.bo
> > >>   0x0070:  756e 6461 7279 3d2d 2d2d 2d2d 2d2d 2d2d  undary=---------
> > >>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
> > >>   0x0090:  2d31 6535 3830 6534 3930 3537 350d 0a55  -1e580e490575..U
> > >>   0x00a0:  7365 722d 4167 656e 743a 204d 6f7a 696c  ser-Agent:.Mozil
> > >>   0x00b0:  6c61 2f34 2e30 2028 636f 6d70 6174 6962  la/4.0.(compatib
> > >>   0x00c0:  6c65 3b20 4d53 4945 2036 2e30 3b20 5769  le;.MSIE.6.0;.Wi
> > >>   0x00d0:  6e64 6f77 7320 4e54 2035 2e31 290d 0a48  ndows.NT.5.1)..H
> > >>   0x00e0:  6f73 743a 2037 372e 3232 322e 3134 322e  ost:.77.222.142.
> > >>   0x00f0:  3536 0d0a 436f 6e74 656e 742d 4c65 6e67  56..Content-Leng
> > >>   0x0100:  7468 3a20 3136 3630 0d0a 436f 6e6e 6563  th:.1660..Connec
> > >>   0x0110:  7469 6f6e 3a20 4b65 6570 2d41 6c69 7665  tion:.Keep-Alive
> > >>   0x0120:  0d0a 4361 6368 652d 436f 6e74 726f 6c3a  ..Cache-Control:
> > >>   0x0130:  206e 6f2d 6361 6368 650d 0a0d 0a         .no-cache....
> > >>
> > >>   0x0000:  4500 05dc 01c7 4000 7a06 e8d4 83c9 b0a0  E..... at .z.......
> > >>   0x0010:  4dde 8e38 043b 0050 9534 9c79 59fd a004  M..8.;.P.4.yY...
> > >>   0x0020:  5010 fc00 176e 0000 2d2d 2d2d 2d2d 2d2d  P....n..--------
> > >>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
> > >>   0x0040:  2d2d 2d2d 3165 3538 3065 3439 3035 3735  ----1e580e490575
> > >>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
> > >>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
> > >>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
> > >>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
> > >>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
> > >>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
> > >>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
> > >>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a 5552 4c3a  t-stream....URL:
> > >>   0x00d0:  2068 7474 703a 2f2f xxxx xxxx xx2e 636f  .http://xxxxx.co
> > >>   0x00e0:  6d2f 0a09 4c6f 6769 6e3a 20xx xxxx xxxx  m/..Login:.xxxxx
> > >>   0x00f0:  xxxx xx40 xxxx xxxx xxxx xxxx xxxx 2e63  xxx at xxxxxxxxxx.c <mailto:xxx at xxxxxxxxxx.c>
> > >>   0x0100:  6f6d 0a0a                                om..
> > >> --- snip ---
> > >>
> > >>
> > >>
> > >> --- snip ss.cgi ---
> > >>   0x0000:  4500 013a 7832 4000 7a06 770b 83c9 b0a0  E..:x2 at .z.w.....
> > >>   0x0010:  4dde 8e38 09b6 0050 3536 8438 b717 9b0b  M..8...P56.8....
> > >>   0x0020:  5018 fc00 0e6d 0000 504f 5354 202f 6367  P....m..POST./cg
> > >>   0x0030:  692d 6269 6e2f 7373 2e63 6769 2048 5454  i-bin/ss.cgi.HTT
> > >>   0x0040:  502f 312e 310d 0a43 6f6e 7465 6e74 2d54  P/1.1..Content-T
> > >>   0x0050:  7970 653a 206d 756c 7469 7061 7274 2f66  ype:.multipart/f
> > >>   0x0060:  6f72 6d2d 6461 7461 3b20 626f 756e 6461  orm-data;.bounda
> > >>   0x0070:  7279 3d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ry=-------------
> > >>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d31 3634  -------------164
> > >>   0x0090:  6530 3465 3230 3163 360d 0a55 7365 722d  e04e201c6..User-
> > >>   0x00a0:  4167 656e 743a 204d 6f7a 696c 6c61 2f34  Agent:.Mozilla/4
> > >>   0x00b0:  2e30 2028 636f 6d70 6174 6962 6c65 3b20  .0.(compatible;.
> > >>   0x00c0:  4d53 4945 2036 2e30 3b20 5769 6e64 6f77  MSIE.6.0;.Window
> > >>   0x00d0:  7320 4e54 2035 2e31 290d 0a48 6f73 743a  s.NT.5.1)..Host:
> > >>   0x00e0:  2037 372e 3232 322e 3134 322e 3536 0d0a  .77.222.142.56..
> > >>   0x00f0:  436f 6e74 656e 742d 4c65 6e67 7468 3a20  Content-Length:.
> > >>   0x0100:  3835 3039 330d 0a43 6f6e 6e65 6374 696f  85093..Connectio
> > >>   0x0110:  6e3a 204b 6565 702d 416c 6976 650d 0a43  n:.Keep-Alive..C
> > >>   0x0120:  6163 6865 2d43 6f6e 7472 6f6c 3a20 6e6f  ache-Control:.no
> > >>   0x0130:  2d63 6163 6865 0d0a 0d0a                 -cache....
> > >>
> > >>   0x0000:  4500 05dc 7833 4000 7a06 7268 83c9 b0a0  E...x3 at .z.rh....
> > >>   0x0010:  4dde 8e38 09b6 0050 3536 854a b717 9b0b  M..8...P56.J....
> > >>   0x0020:  5010 fc00 9e4e 0000 2d2d 2d2d 2d2d 2d2d  P....N..--------
> > >>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
> > >>   0x0040:  2d2d 2d2d 3136 3465 3034 6532 3031 6336  ----164e04e201c6
> > >>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
> > >>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
> > >>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
> > >>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
> > >>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
> > >>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
> > >>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
> > >>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a ffd8 ffe0  t-stream........
> > >>   0x00d0:  0010 4a46 4946 0001 0101 0060 0060 0000  ..JFIF.....`.`..
> > >> --- snip ---
> > >>
> > > 
> > > ------------------------------------------------------------------------
> > > 
> > > _______________________________________________
> > > Emerging-sigs mailing list
> > > Emerging-sigs at emergingthreats.net
> > > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> > 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090130/4481e2c4/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090130/4481e2c4/attachment-0001.bin


More information about the Emerging-sigs mailing list