[Emerging-Sigs] Carberp sig

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 15 03:27:33 EDT 2010


We have this for the pcre:
pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/U";

Added your references and updated the msg, thanks!!

Matt

On Oct 14, 2010, at 9:17 PM, Darren Spruell wrote:

> the 'id' parameter is variable length; here's a sample set:
> 
> forceclub-us.com/task.php?id=RuOdDvTr0DBEDAF7CA3B9DE7CBD63C72354C8A9BD&task=0
>  195.189.246.35/task.php?id=OHUENNY131970169159181858827012313841691344160000&task=0
>   fotoplanet.it/task.php?id=12345101970169159181858827012313841691344160010988568252014038&task=0
> 
> The trojan is Carberp but not Bugat and not Sasfis. How does this work
> for the checkin?
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Carberp Checkin Task"; flow:established,to_server;
> uricontent:"/task.php?id="; uricontent:"&task=";
> pcre:"/\/task\.php\?id=[0-9A-Za-z]{40,}&task=\d+$/U";
> classtype:trojan-activity;
> reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/;
> reference:url,www.honeynet.org/node/578;
> reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2;
> reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb;
> reference:url,www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85;
> reference:url,www.threatexpert.com/report.aspx?md5=1d0d38dd63551a30eda664611ed4958b;
> reference:url,www.threatexpert.com/report.aspx?md5=6f89b98729483839283d04b82055dc44;
> reference:url,www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36;
> sid:2011799; rev:1;)
> 
> Would be good to have a larger request sample set or rce to determine
> how to size the id parameter, can adjust as needed I guess.
> 
> There's also an opportunity to hit on the POST request that sends
> system process list etc. to controller.
> 
> DS
> 
> 
> On Tue, Oct 12, 2010 at 2:56 PM, Matthew Jonkman
> <jonkman at emergingthreatspro.com> wrote:
>> I think a bit of pcre is in order to make sure we don't have falses:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> Sasfis/Carberp checkin task"; flow:established,to_server;
>> uricontent:"/task.php?id="; uricontent:"&task=";
>> pcre:"/\/task.php\?id=.{40}&task=\d/U"; classtype:trojan-activity;
>> sid:2011799; rev:1;)
>> Look good?
>> Matt
>> On Oct 12, 2010, at 2:18 PM, Packet Hack wrote:
>> 
>> This article prompted me to look for Carberp/Bugat signatures:
>>   http://www.securityweek.com/bugat-trojan-used-recent-attacks-cybercriminals-change-their-weapons
>> I really couldn't find anything on Bugat, but I found a few references to
>> Carberp:
>>   http://www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85
>>   http://www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85
>>   http://viralerts.com/?p=989
>> From that I whipped up this rule:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>> Sasfis/Carberp checkin"; flow:established,to_server;
>> content:"/task.php?id="; distance: 0; within: 10; content:"&task=";
>> distance:40; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
>> My guess is that it's doing a GET on the urls but from the 3 links above I
>> can't be sure. Does the
>> above seem like a reasonable way to look for urls similar to
>>   http://fotoplanet.it/task.php?id=12345101970169159181858827012313841691344160010988568252014038&task=0
>>   http://forceclub-us.com/task.php?id=RuOdDvTr0DBEDAF7CA3B9DE7CBD63C72354C8A9BD&task=0
>> ?
>> -- pckthck
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>> Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> 
>> ----------------------------------------------------
>> Matthew Jonkman
>> Emergingthreats.net
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 765-807-8630
>> Fax 312-264-0205
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> 
>> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
>> Lanyards
>> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>> 
> 
> 
> 
> -- 
> Darren Spruell
> phatbuckett at gmail.com
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list