[Emerging-Sigs] New sig: MUROFET/Licat trojan check in

Greg Martin gregcmartin at gmail.com
Thu Oct 21 22:12:51 EDT 2010


Brandon,

Good catch, yes the missing fwd slash was a typo in the pcre.

On Thu, Oct 21, 2010 at 9:04 PM, Brandon Enright <bmenrigh at ucsd.edu> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Mon, 18 Oct 2010 12:53:38 -0500
> Greg Martin <gregcmartin at gmail.com> wrote:
>
>> #by gregcmartin
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> CURRENT_EVENTS MUROFET/Licat Trojan"; flow:established,to_server;
>> content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\:"; nocase;
>> uricontent:"/news/?s="; pcre:"/news\?s=\d+{1,3}";
>> classtype:trojan-activity;
>> reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html;
>> sid:9999999; rev:1;)
>
>
> Hi Greg,
>
> Is pcre:"/news\?s=\d+{1,3}" valid syntax?  Perl will choke on
> mixing/nesting quantifiers like + and {n,m}.  Also, there should be a
> trailing /.  Finally, there is a / after news.
>
> Finally, Murofet can have 4 digits but since the regex doesn't specify
> any trailing characters to match only 1 digit is needed for a match.
>
> I'd suggest something along the lines of:
>
> pcre:"/\/news\/\?s=\d{1,4} HTTP/";
>
>
> We had a host trigger a sig that I wrote.  The request was:
>
> GET /news/?s=1274 HTTP/1.1
> Accept: */*
> Connection: Close
> User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; GTB6.5; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C)
> Host: osupitmhnpruwtli.biz
> Cache-Control: no-cache
>
>
> Brandon
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.16 (GNU/Linux)
>
> iEYEARECAAYFAkzA8RoACgkQqaGPzAsl94IquQCdE9JlMNQ9ansjuzeO/BpMQn1H
> XzsAn0d55fB/o9ySHfsvRT1ywuAipG6G
> =/M+H
> -----END PGP SIGNATURE-----
>


More information about the Emerging-sigs mailing list