[Emerging-Sigs] Question about SIG 2008660 - Torpig

[Packet Hack]

Here's a sampling of hosts we've seen trip the sig over the past six weeks 
(numbers are the #s of IDS hits per host):

2009-12-19 - 2009-12-25
      3 209.172.57.26
      3 72.51.43.97

2009-12-26 - 2010-01-01
      4 209.172.57.26
     14 115.124.108.153
     18 72.51.43.97

2010-01-02 - 2010-01-08
     52 72.51.43.97
     54 115.124.108.153

2010-01-09 - 2010-01-15
     65 115.124.108.153
     73 72.51.43.97

2010-01-16 - 2010-01-22
     25 115.124.108.153
    110 72.51.43.97

2010-01-23 - present
     58 72.51.34.52
     60 66.135.61.80
     61 72.51.43.97

Here's a quick sig to capture all traffic to/from the ips we've caught over the past 3-4 weeks:

alert tcp $HOME_NET any -> [115.124.108.153,72.51.43.97,72.51.34.52,66.135.61.80] any (msg:"UFOISC Traffic to Torpig Sigs"; tag: session, 10, packets; classtype:trojan-activity; sid:XXXXXXX;)

If there's a better way of writing the sig please let me know -- still kinda new at this :-)

--pkthck




________________________________
From: Paul Schmehl <pschmehl_lists at tx.rr.com>
To: evilghost at packetmail.net
Cc: emerging-sigs at emergingthreats.net
Sent: Thu, January 28, 2010 9:30:45 PM
Subject: Re: [Emerging-Sigs] Question about SIG 2008660 - Torpig

What I've been doing, whenever we get an alert, is throw up a quick rule 
to catch all the return traffic.  Something likes this alert tcp 
ip.ad.dr.es.s any -> $HOME_NET any (msg:"Possible Torpig C&C traffic"; 
classtype:trojan-activity; sid:1234566; rev:1;)

I don't even put the sig in sid-msg.map.  Then, when I get alerts from 
that IP, I examine them.

I wouldn't call the traffic encrypted.  I'd call it encoded.  It might be 
gzip'd for all I know.

The next time I get a hit, I'll throw up that rule and send you all the 
packets.

[...]



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100128/6e3a5b0d/attachment.html