[Emerging-Sigs] ZeuS CnC Check In's Sig

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 14 15:29:25 EDT 2010


Not sure I'm following. So you're saying kill the get rule as it's irrelevant (Did that, following that far)

The rule you post below, it has .php in it. Won't that kill all the true positives?

I'm a little lost. :)

Matt

On Oct 14, 2010, at 11:50 AM, Eoin Miller wrote:

> On 10/14/2010 9:22 AM, Matthew Jonkman wrote:
>> Like so:
>> 
>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC"; content:"POST"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; distance:0; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:trojan-activity; sid:2800825; rev:1;)
>> 
>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus GET Request to CnC"; content:"GET"; http_method; content:"HTTP/1.1|0D 0A|Accept|3a| */*|0D 0A|User-Agent|3a|"; content:!"Content-Type|3a| "; http_header; content:"|0d 0a|Content-Length|3a| "; content:!"0"; distance:0; within:1; content:"Connection|3a| Keep-Alive|0D 0A|Cache-Control|3a| no-cache|0D 0A 0D 0A|"; classtype:trojan-activity; sid:2800826; rev:1;)
>> 
>> Matt
>> 
> Unfortunately the GET's look completely different than the POST's and I am not really sure that would work? Here is what we are running after working with PacketHack off list (sigs helped them identify more infections that previously had no alerts, or so is my understanding). One more slight tweak to the POST sig, we add .php to the second content match to get rid of a very small amount of FP's we were seeing with some hosts who have some weird http client libs with some apps. Also, you must remove all http_header content modifiers, for whatever reason, the sigs will not fire if those are used. You also don't have to convert the colons to 3a's:
> 
> CnC communication POSTs:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS POST to CnC"; content:"POST"; http_method; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|User-Agent:"; content:!"Content-Type: "; content:"Content-Length: "; content:!"0"; distance:0; depth:1; content:"Connection: Keep-Alive|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; classtype:trojan-activity; sid:5600177; rev:4;)
> 
> HTTP Client Library Activity (will do check-in's to google.com/webhp to validate Internet connectivity until it can download config files). No reason to check for the GET's here and you can use http_header as a content modifier (I need to test to see if this potential bug exists/is fixed in 2.9.0):
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TEST ZeuS http client library detected"; content:"Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: "; http_header; classtype:trojan-activity; sid:5600169; rev:1;)
> 
> I have some PCAPs of infected hosts that I can probably send you off list once getting authorized so you guys can see what I am talking about a bit more clearly and do some testing for validation purposes. However we have been running these sigs I wrote and the performance has been flat out flawless.
> 
> -- Eoin


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list