[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Darren Spruell phatbuckett at gmail.com
Fri Jan 30 17:26:01 EST 2009


I dug back a bit and found where I got the certs.cgi reference from; a
new variant (controller: 91.211.65.30) that completely switches around
some of these CGI names:

--snip--
Jan 26, 2009 12:37:38.563007000 91.211.65.30    POST /cgi-bin/store.cgi
Jan 26, 2009 12:37:39.077015000 91.211.65.30    POST /cgi-bin/certs.cgi
Jan 26, 2009 12:37:39.579690000 91.211.65.30    GET /cgi-bin/data.cgi?...
Jan 26, 2009 12:37:39.581378000 91.211.65.30    GET /cgi-bin/command.cgi?...
--snip--

This is distributed as VideoPlayer_10.exe
(e7cf9c20f640cf72848281eb90595152) in German spam runs. Let me know
off list if anyone wants a sample.

DS


On Fri, Jan 30, 2009 at 1:25 PM, dxp <dxp2532 at gmail.com> wrote:
> Just to summarize what URIs are available to sig, all POSTs:
>     /forms.cgi
>     /pstore.cgi
>     /cert.cgi
>     /ss.cgi
>
> For GETs it's:
>     /cmd.cgi
>     /options.cgi
>     /file.cgi
>
> Not sure about "/file.cgi" but "/cmd.cgi" and "/options.cgi" take parameters
> which are detected by (at least last time I checked couple of months ago):
> "ET TROJAN Gozi/Orderjack Reporting User Activity" 2002854
>
> I think anchoring with "Content-Disposition" header w/o the "filename="
> value and "Content-Type" header are good choices in this case.
>
> -
>
> -=[ dxp ]=-
> 0xA3F3C6E3
>
>
>
> On Thu, 2009-01-29 at 16:38 -0700, Darren Spruell wrote:
>
> Don't forget ss.cgi (my post 1/28) and looks like there's also a file.cgi
> too:
>
> http://ddanchev.blogspot.com/2008/01/random-js-malware-exploitation-kit.html
>
> In addition to cert.cgi I've also picked up from somewhere that
> certs.cgi has also been used (trying to find reference.)
>
> I expect there to be more FPs out there; seen particularly forms.cgi used
> e.g.:
>
> # yeah, it's a GET so no FP on the rule looking for POST but including
> to illustrate
> POST http://www.cowgirlartist.com/cgi-bin/forms.cgi
> GET http://www.wirespring.com/cgi-bin/forms.cgi?form=3&headline=...
> GET http://www.greenmountainenergy.com/cgi-bin/forms.cgi?form=6
> GET http://www.sullarete.com/cgi-bin/forms.cgi?form=10
> POST http://www.courtinfo.ca.gov/cgi-bin/forms.cgi
> GET http://www.nwsc.org/cgi-bin/forms.cgi?form=1
>
> ...and cmd.cgi, options.cgi, file.cgi...:
>
> GET  http://www.onlinefutureinc.com/cgi-bin/cmd.cgi?af=415398&u...
> GET  http://iquote1.neoyen.net.tw/cgi-bin/file.cgi?ARG=otcname.dat
> GET  http://www.scienceofbeingwell.net/cgi-bin/cmd.cgi?Imp=1006352
> GET  http://sescompanies.net/cgi-bin/options.cgi?id=US00...
>
> Further anchoring with the 'Content-Type: multipart...' header might
> be worth including still, or there's an opportunity to match on "URL:
> " for pstore.cgi and forms.cgi and the Content-Disposition and
> Content-Type values if helpful:.
>
> ~~~~~~~~~~
> POST /cgi-bin/forms.cgi HTTP/1.1
> Content-Type: multipart/form-data;
> boundary=--------------------------01400b2f08b7
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
> Host: 77.222.142.56
> Content-Length: 358
> Connection: Keep-Alive
> Cache-Control: no-cache
>
> ----------------------------01400b2f08b7
> Content-Disposition: form-data; name="upload_file";
> filename="3337220749.0002"
> Content-Type: application/octet-stream
>
> URL: https://example.org
> foo=bar
>
> ----------------------------01400b2f08b7--
> ~~~~~~~~~~
>
> DS
>
>
> On Thu, Jan 29, 2009 at 1:13 PM, dxp <dxp2532 at gmail.com> wrote:
>> Good point on the PCRE.  It's worth breaking this one down into three
>> rules
>> instead:
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
>> Data Information Leakage (Forms)"; flow:established,to_server;
>> content:"POST
>> "; depth:5; uricontent:"/forms.cgi "; classtype:trojan-activity;
>> sid:XXXXXX;
>> rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
>> Data Information Leakage (PStore)"; flow:established,to_server;
>> content:"POST "; depth:5; uricontent:"/pstore.cgi ";
>> classtype:trojan-activity; sid:XXXXXX; rev:1;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
>> Data Information Leakage (Cert)"; flow:established,to_server;
>> content:"POST
>> "; depth:5; uricontent:"/cert.cgi "; classtype:trojan-activity;
>> sid:XXXXXX;
>> rev:1;)
>>
>> -
>>
>> -=[ dxp ]=-
>> 0xA3F3C6E3
>>
>>
>>
>> On Thu, 2009-01-29 at 13:23 -0500, Matt Jonkman wrote:
>>
>> We can't go pcre on this, it'd be just too high a load. Have to stay
>> with the 3 separate sigs for the main ruleset. but this would be useful
>> on boxes without load issues.
>>
>> Matt
>>
>> dxp wrote:
>>> I just double checked on one sample I have of this trojan from October
>>> 2008 and the UAS is embeded in the binary.  However, this may change in
>>> the future and then POSTs will be missed.
>>>
>>> I have the following sig applied on my production envrionment for
>>> several months now and without False Positives:
>>>
>>>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>     Gozi Form Data Information Leakage"; flow:established,to_server;
>>>     content:"POST "; depth:5;
>>>     pcre:"/\/(forms|pstore|cert)\.cgi\sHTTP\/1\.[01]\x0d\x0a/i";
>>>     classtype:trojan-activity; sid:XXXXXX; rev:1;)
>>>
>>>
>>> -
>>>
>>> -=[ dxp ]=-
>>> 0xA3F3C6E3
>>>
>>>
>>>
>>>
>>> On Wed, 2009-01-28 at 01:50 -0700, Darren Spruell wrote:
>>>> Picked up a Gozi infected host chatting with controller and noticed a
>>>> few of the rules could do with an overhaul and a couple more could be
>>>> added in for POST operations not detected. The base rules were
>>>> 2003509/2003510/2003511 but I thought there was a couple of issues:
>>>>
>>>> - the rules have a content match where a trailing '?' is specified but
>>>> are then followed by a pcre where it is missing. The communication
>>>> I've got has no trailing question mark on the POSTs.
>>>> - the rules seem needlessly heavy on pcre. i substituted content
>>>> matches instead.
>>>>
>>>> # update to 2003511
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>> Gozi Form Data Information Leakage"; flow:to_server,established;
>>>> content:"POST /cgi-bin/forms.cgi"; depth:23; content:"|0d
>>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>>> reference:url,www.secureworks.com/research/threats/gozi; sid:2003511;
>>>> rev:3;)
>>>> # new rule for POSTs of private store data
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>> Gozi Private Store Information Leakage"; flow:to_server,established;
>>>> content:"POST /cgi-bin/pstore.cgi"; depth:24; content:"|0d
>>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>>> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
>>>> rev:1;)
>>>> # new rule for POSTs of screenshot (JPEG) data
>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>> Gozi Screen Capture Information Leakage"; flow:to_server,established;
>>>> content:"POST /cgi-bin/ss.cgi"; depth:20; content:"|0d
>>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>>> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
>>>> rev:1;)
>>>>
>>>>
>>>> There's room for improvement with tightening these down if needed by
>>>> anchoring the content matches or adding additional payload. Obfuscated
>>>> requests included below.
>>>>
>>>>
>>>> --- snip forms.cgi ---
>>>>   0x0000:  4500 02a1 1c37 4000 7a06 d19f 83c9 b0a0  E....7 at .z.......
>>>>   0x0010:  4dde 8e38 04f3 0050 a837 99c8 e53f 91bf  M..8...P.7...?..
>>>>   0x0020:  5018 fc00 21df 0000 504f 5354 202f 6367  P...!...POST./cg
>>>>   0x0030:  692d 6269 6e2f 666f 726d 732e 6367 6920  i-bin/forms.cgi.
>>>>   0x0040:  4854 5450 2f31 2e31 0d0a 436f 6e74 656e  HTTP/1.1..Conten
>>>>   0x0050:  742d 5479 7065 3a20 6d75 6c74 6970 6172  t-Type:.multipar
>>>>   0x0060:  742f 666f 726d 2d64 6174 613b 2062 6f75  t/form-data;.bou
>>>>   0x0070:  6e64 6172 793d 2d2d 2d2d 2d2d 2d2d 2d2d  ndary=----------
>>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>   0x0090:  3031 3430 3062 3266 3038 6237 0d0a 5573  01400b2f08b7..Us
>>>>   0x00a0:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
>>>>   0x00b0:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
>>>>   0x00c0:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
>>>>   0x00d0:  646f 7773 204e 5420 352e 3129 0d0a 486f  dows.NT.5.1)..Ho
>>>>   0x00e0:  7374 3a20 3737 2e32 3232 2e31 3432 2e35  st:.77.222.142.5
>>>>   0x00f0:  360d 0a43 6f6e 7465 6e74 2d4c 656e 6774  6..Content-Lengt
>>>>   0x0100:  683a 2033 3538 0d0a 436f 6e6e 6563 7469  h:.358..Connecti
>>>>   0x0110:  6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a  on:.Keep-Alive..
>>>>   0x0120:  4361 6368 652d 436f 6e74 726f 6c3a 206e  Cache-Control:.n
>>>>   0x0130:  6f2d 6361 6368 650d 0a0d 0a2d 2d2d 2d2d  o-cache....-----
>>>>   0x0140:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>   0x0150:  2d2d 2d2d 2d2d 2d30 3134 3030 6232 6630  -------01400b2f0
>>>>   0x0160:  3862 370d 0a43 6f6e 7465 6e74 2d44 6973  8b7..Content-Dis
>>>>   0x0170:  706f 7369 7469 6f6e 3a20 666f 726d 2d64  position:.form-d
>>>>   0x0180:  6174 613b 206e 616d 653d 2275 706c 6f61  ata;.name="uploa
>>>>   0x0190:  645f 6669 6c65 223b 2066 696c 656e 616d  d_file";.filenam
>>>>   0x01a0:  653d 2233 3333 3732 3230 3734 392e 3030  e="3337220749.00
>>>>   0x01b0:  3032 220d 0a43 6f6e 7465 6e74 2d54 7970  02"..Content-Typ
>>>>   0x01c0:  653a 2061 7070 6c69 6361 7469 6f6e 2f6f  e:.application/o
>>>>   0x01d0:  6374 6574 2d73 7472 6561 6d0d 0a0d 0a55  ctet-stream....U
>>>>   0x01e0:  524c 3a20 6874 7470 733a 2f2f xxxx xxxx  RL:.https://xxxx
>>>>   0x01f0:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>   0x0200:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>   0x0210:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>   0x0220:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>   0x0230:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>   0x0240:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>   0x0250:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>   0x0260:  6564 6972 6563 742e 6e73 6625 3346 4f70  edirect.nsf%3FOp
>>>>   0x0270:  656e 0a0d 0a2d 2d2d 2d2d 2d2d 2d2d 2d2d  en...-----------
>>>>   0x0280:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>   0x0290:  2d30 3134 3030 6232 6630 3862 372d 2d0d  -01400b2f08b7--.
>>>>   0x02a0:  0a
>>>> --- snip ---
>>>>
>>>>
>>>> --- snip pstore.cgi ---
>>>>   0x0000:  4500 013d 01c6 4000 7a06 ed74 83c9 b0a0  E..=.. at .z..t....
>>>>   0x0010:  4dde 8e38 043b 0050 9534 9b64 59fd a004  M..8.;.P.4.dY...
>>>>   0x0020:  5018 fc00 c3af 0000 504f 5354 202f 6367  P.......POST./cg
>>>>   0x0030:  692d 6269 6e2f 7073 746f 7265 2e63 6769  i-bin/pstore.cgi
>>>>   0x0040:  2048 5454 502f 312e 310d 0a43 6f6e 7465  .HTTP/1.1..Conte
>>>>   0x0050:  6e74 2d54 7970 653a 206d 756c 7469 7061  nt-Type:.multipa
>>>>   0x0060:  7274 2f66 6f72 6d2d 6461 7461 3b20 626f  rt/form-data;.bo
>>>>   0x0070:  756e 6461 7279 3d2d 2d2d 2d2d 2d2d 2d2d  undary=---------
>>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>   0x0090:  2d31 6535 3830 6534 3930 3537 350d 0a55  -1e580e490575..U
>>>>   0x00a0:  7365 722d 4167 656e 743a 204d 6f7a 696c  ser-Agent:.Mozil
>>>>   0x00b0:  6c61 2f34 2e30 2028 636f 6d70 6174 6962  la/4.0.(compatib
>>>>   0x00c0:  6c65 3b20 4d53 4945 2036 2e30 3b20 5769  le;.MSIE.6.0;.Wi
>>>>   0x00d0:  6e64 6f77 7320 4e54 2035 2e31 290d 0a48  ndows.NT.5.1)..H
>>>>   0x00e0:  6f73 743a 2037 372e 3232 322e 3134 322e  ost:.77.222.142.
>>>>   0x00f0:  3536 0d0a 436f 6e74 656e 742d 4c65 6e67  56..Content-Leng
>>>>   0x0100:  7468 3a20 3136 3630 0d0a 436f 6e6e 6563  th:.1660..Connec
>>>>   0x0110:  7469 6f6e 3a20 4b65 6570 2d41 6c69 7665  tion:.Keep-Alive
>>>>   0x0120:  0d0a 4361 6368 652d 436f 6e74 726f 6c3a  ..Cache-Control:
>>>>   0x0130:  206e 6f2d 6361 6368 650d 0a0d 0a         .no-cache....
>>>>
>>>>   0x0000:  4500 05dc 01c7 4000 7a06 e8d4 83c9 b0a0  E..... at .z.......
>>>>   0x0010:  4dde 8e38 043b 0050 9534 9c79 59fd a004  M..8.;.P.4.yY...
>>>>   0x0020:  5010 fc00 176e 0000 2d2d 2d2d 2d2d 2d2d  P....n..--------
>>>>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>   0x0040:  2d2d 2d2d 3165 3538 3065 3439 3035 3735  ----1e580e490575
>>>>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>>>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
>>>>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
>>>>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
>>>>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
>>>>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
>>>>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
>>>>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a 5552 4c3a  t-stream....URL:
>>>>   0x00d0:  2068 7474 703a 2f2f xxxx xxxx xx2e 636f  .http://xxxxx.co
>>>>   0x00e0:  6d2f 0a09 4c6f 6769 6e3a 20xx xxxx xxxx  m/..Login:.xxxxx
>>>>   0x00f0:  xxxx xx40 xxxx xxxx xxxx xxxx xxxx 2e63  xxx at xxxxxxxxxx.c
>>>> <mailto:xxx at xxxxxxxxxx.c>
>>>>   0x0100:  6f6d 0a0a                                om..
>>>> --- snip ---
>>>>
>>>>
>>>>
>>>> --- snip ss.cgi ---
>>>>   0x0000:  4500 013a 7832 4000 7a06 770b 83c9 b0a0  E..:x2 at .z.w.....
>>>>   0x0010:  4dde 8e38 09b6 0050 3536 8438 b717 9b0b  M..8...P56.8....
>>>>   0x0020:  5018 fc00 0e6d 0000 504f 5354 202f 6367  P....m..POST./cg
>>>>   0x0030:  692d 6269 6e2f 7373 2e63 6769 2048 5454  i-bin/ss.cgi.HTT
>>>>   0x0040:  502f 312e 310d 0a43 6f6e 7465 6e74 2d54  P/1.1..Content-T
>>>>   0x0050:  7970 653a 206d 756c 7469 7061 7274 2f66  ype:.multipart/f
>>>>   0x0060:  6f72 6d2d 6461 7461 3b20 626f 756e 6461  orm-data;.bounda
>>>>   0x0070:  7279 3d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ry=-------------
>>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d31 3634  -------------164
>>>>   0x0090:  6530 3465 3230 3163 360d 0a55 7365 722d  e04e201c6..User-
>>>>   0x00a0:  4167 656e 743a 204d 6f7a 696c 6c61 2f34  Agent:.Mozilla/4
>>>>   0x00b0:  2e30 2028 636f 6d70 6174 6962 6c65 3b20  .0.(compatible;.
>>>>   0x00c0:  4d53 4945 2036 2e30 3b20 5769 6e64 6f77  MSIE.6.0;.Window
>>>>   0x00d0:  7320 4e54 2035 2e31 290d 0a48 6f73 743a  s.NT.5.1)..Host:
>>>>   0x00e0:  2037 372e 3232 322e 3134 322e 3536 0d0a  .77.222.142.56..
>>>>   0x00f0:  436f 6e74 656e 742d 4c65 6e67 7468 3a20  Content-Length:.
>>>>   0x0100:  3835 3039 330d 0a43 6f6e 6e65 6374 696f  85093..Connectio
>>>>   0x0110:  6e3a 204b 6565 702d 416c 6976 650d 0a43  n:.Keep-Alive..C
>>>>   0x0120:  6163 6865 2d43 6f6e 7472 6f6c 3a20 6e6f  ache-Control:.no
>>>>   0x0130:  2d63 6163 6865 0d0a 0d0a                 -cache....
>>>>
>>>>   0x0000:  4500 05dc 7833 4000 7a06 7268 83c9 b0a0  E...x3 at .z.rh....
>>>>   0x0010:  4dde 8e38 09b6 0050 3536 854a b717 9b0b  M..8...P56.J....
>>>>   0x0020:  5010 fc00 9e4e 0000 2d2d 2d2d 2d2d 2d2d  P....N..--------
>>>>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>   0x0040:  2d2d 2d2d 3136 3465 3034 6532 3031 6336  ----164e04e201c6
>>>>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>>>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
>>>>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
>>>>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
>>>>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
>>>>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
>>>>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
>>>>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a ffd8 ffe0  t-stream........
>>>>   0x00d0:  0010 4a46 4946 0001 0101 0060 0060 0000  ..JFIF.....`.`..
>>>> --- snip ---
>>>>
>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>>
>
>
>
>



-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list