[Emerging-Sigs] Sig for generic fake SSL cert used by Trojan campaign

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 18 15:58:05 EDT 2010


Hey martin, wouldn't these have hit on that:

policy.rules:#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (CN)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 03|"; content:"PCA"; within:50; classtype:not-suspicious; sid:2011539; rev:3;)

policy.rules:#alert tcp any 443 -> any any (msg:"ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O)"; flow:established,to_client; content:"|16|"; content:"|0b|"; within:8; content:"|55 04 0a|"; content:"Internet Widgits Pty Ltd"; within:50; sid:2011540; rev:3;)

Matt

On Oct 18, 2010, at 12:27 PM, Martin Holste wrote:

> This sig did very well over the weekend at catching the handshake for
> the encrypted stage two communications to a C&C server after the
> initial staged check-in over plain HTTP which is entirely base64 URI.
> If anybody has additional info on what variant this is, I'd be
> interested.  I see that this issuer is similar to the "snake oil"
> self-signed fake cert used by Apache based on Google results.  Based
> on that, I was expecting a lot of falses on this, but so far I've seen
> none.
> 
> I've put in the portvar $HTTPS_PORTS, but that could obviously be
> changed to 443 for most cases.  I'm also using the ssl_state tag, so I
> think this only works in >= 2.8 and with the SSL preprpoc running.  If
> you guys want to modify it to be a little more forgiving, I have no
> problem with that.  The depth:600 is also very much up for discussion.
> It was more than enough for this case, but I don't know what the
> optimal depth in the server hello would be.
> 
> alert tcp $EXTERNAL_NET $HTTPS_PORTS -> $HOME_NET any (msg:"LOCAL Fake
> SSL Cert (Internet Widgits Pty Ltd)"; ssl_state: server_hello;
> content:"Internet Widgits Pty Ltd"; depth:600;
> classtype:trojan-activity; sid:xxx;)
> 
> --Martin
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list