[Emerging-Sigs] Carberp sig

Darren Spruell phatbuckett at gmail.com
Thu Oct 14 21:17:37 EDT 2010


the 'id' parameter is variable length; here's a sample set:

forceclub-us.com/task.php?id=RuOdDvTr0DBEDAF7CA3B9DE7CBD63C72354C8A9BD&task=0
  195.189.246.35/task.php?id=OHUENNY131970169159181858827012313841691344160000&task=0
   fotoplanet.it/task.php?id=12345101970169159181858827012313841691344160010988568252014038&task=0

The trojan is Carberp but not Bugat and not Sasfis. How does this work
for the checkin?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Carberp Checkin Task"; flow:established,to_server;
uricontent:"/task.php?id="; uricontent:"&task=";
pcre:"/\/task\.php\?id=[0-9A-Za-z]{40,}&task=\d+$/U";
classtype:trojan-activity;
reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/;
reference:url,www.honeynet.org/node/578;
reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2;
reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb;
reference:url,www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85;
reference:url,www.threatexpert.com/report.aspx?md5=1d0d38dd63551a30eda664611ed4958b;
reference:url,www.threatexpert.com/report.aspx?md5=6f89b98729483839283d04b82055dc44;
reference:url,www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36;
sid:2011799; rev:1;)

Would be good to have a larger request sample set or rce to determine
how to size the id parameter, can adjust as needed I guess.

There's also an opportunity to hit on the POST request that sends
system process list etc. to controller.

DS


On Tue, Oct 12, 2010 at 2:56 PM, Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote:
> I think a bit of pcre is in order to make sure we don't have falses:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Sasfis/Carberp checkin task"; flow:established,to_server;
> uricontent:"/task.php?id="; uricontent:"&task=";
> pcre:"/\/task.php\?id=.{40}&task=\d/U"; classtype:trojan-activity;
> sid:2011799; rev:1;)
> Look good?
> Matt
> On Oct 12, 2010, at 2:18 PM, Packet Hack wrote:
>
> This article prompted me to look for Carberp/Bugat signatures:
>   http://www.securityweek.com/bugat-trojan-used-recent-attacks-cybercriminals-change-their-weapons
> I really couldn't find anything on Bugat, but I found a few references to
> Carberp:
>   http://www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85
>   http://www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85
>   http://viralerts.com/?p=989
> From that I whipped up this rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Sasfis/Carberp checkin"; flow:established,to_server;
> content:"/task.php?id="; distance: 0; within: 10; content:"&task=";
> distance:40; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> My guess is that it's doing a GET on the urls but from the 3 links above I
> can't be sure. Does the
> above seem like a reasonable way to look for urls similar to
>   http://fotoplanet.it/task.php?id=12345101970169159181858827012313841691344160010988568252014038&task=0
>   http://forceclub-us.com/task.php?id=RuOdDvTr0DBEDAF7CA3B9DE7CBD63C72354C8A9BD&task=0
> ?
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
> ----------------------------------------------------
> Matthew Jonkman
> Emergingthreats.net
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 765-807-8630
> Fax 312-264-0205
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>



-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list