[Emerging-Sigs] More Carberp Sigs

Eoin Miller eoin.miller at trojanedbinaries.com
Mon Oct 25 12:58:51 EDT 2010


Found a couple of infected hosts with the checkin sig I submitted. Based 
on traffic we have captured, I made the following sigs:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN 
carberp file download"; content:"/cfg/"; http_uri; depth:5; 
content:".plug"; http_uri; classtype:trojan-activity; sid:5600192; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN 
carberp CnC request - POST id=imp"; content:"POST"; http_method; 
content:"id=imp"; http_client_body; depth:6; classtype:trojan-activity; 
sid:5600193; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EID TROJAN 
carberp CnC request - POST /set/task.html"; content:"POST"; http_method; 
content:"/set/task.html"; http_uri; depth:14; classtype:trojan-activity; 
sid:5600194; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID TROJAN 
carberp CnC response - download"; file_data; content:"download http://"; 
depth:16; classtype:trojan-activity; sid:5600195; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EID TROJAN 
carberp CnC response - no tasks"; file_data; content:"no tasks"; 
depth:8; classtype:trojan-activity; sid:5600196; rev:1;)


I know the POST /set/task.html has seen other types of checkins from 
other peoples posts to the list, so maybe that one can be forgone? Not 
sure how static the id=imp for the POST id=imp is, but both infected 
systems we have started with that in the http_client_body buffer 
whenever they are POST'ing in to the CnC. If anyone else has any traffic 
from an infection and could run these sigs against the captured traffic 
and identify any slight tweaks to make them better that would be pretty 
awesome.

-- Eoin




More information about the Emerging-sigs mailing list