[Emerging-Sigs] Carberp sig

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 25 19:48:59 EDT 2010


I think more interesting that we have task.php and task= with http/1.0. That may be unique enough. 

Most anything making that kind of complex uri you'd think should be http/1.1 if it' real.

Am I on the right track here?

MAtt

On Oct 25, 2010, at 2:32 PM, Eoin Miller wrote:

> On 10/12/2010 6:18 PM, Packet Hack wrote:
>> This article prompted me to look for Carberp/Bugat signatures:
>> 
>> http://www.securityweek.com/bugat-trojan-used-recent-attacks-cybercriminals-change-their-weapons 
>> 
>> 
>> I really couldn't find anything on Bugat, but I found a few references 
>> to Carberp:
>> 
>> http://www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85
>> http://www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85
>> http://viralerts.com/?p=989
>> 
>> From that I whipped up this rule:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN 
>> Sasfis/Carberp checkin"; flow:established,to_server; 
>> content:"/task.php?id="; distance: 0; within: 10; content:"&task="; 
>> distance:40; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
>> 
>> My guess is that it's doing a GET on the urls but from the 3 links 
>> above I can't be sure. Does the
>> above seem like a reasonable way to look for urls similar to
>> 
>> http://fotoplanet.it/task.php?id=12345101970169159181858827012313841691344160010988568252014038&task=0 
>> <http://fotoplanet.it/task.php?id=12345101970169159181858827012313841691344160010988568252014038&task=0>
>> http://forceclub-us.com/task.php?id=RuOdDvTr0DBEDAF7CA3B9DE7CBD63C72354C8A9BD&task=0 
>> <http://forceclub-us.com/task.php?id=RuOdDvTr0DBEDAF7CA3B9DE7CBD63C72354C8A9BD&task=0>
>> 
>> ?
>> 
>> -- pckthck
> 
> Found some more infections with new sigs I wrote this morning that 
> behave more like this version. Here are some gets/responses for CnC 
> communication:
> 
> Request:
> 0000   47 45 54 20 2f 74 61 73 6b 2e 70 68 70 3f 69 64  GET /task.php?id
> 0010   3d 52 53 41 30 43 34 46 36 46 43 30 41 41 37 46  =RSA0C4F6FC0AA7F
> 0020   36 31 46 32 46 38 35 32 36 42 39 44 42 46 36 39  61F2F8526B9DBF69
> 0030   45 33 43 46 42 26 74 61 73 6b 3d 30 20 48 54 54  E3CFB&task=0 HTT
> 0040   50 2f 31 2e 30 0d 0a 48 6f 73 74 3a 20 6d 6d 73  P/1.0..Host: mms
> 0050   6c 69 76 65 2e 69 6e 66 6f 0d 0a 55 73 65 72 2d  live.info..User-
> 0060   41 67 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35  Agent: Mozilla/5
> 0070   2e 30 20 28 57 69 6e 64 6f 77 73 3b 20 55 3b 20  .0 (Windows; U;
> 0080   57 69 6e 64 6f 77 73 20 4e 54 20 35 2e 31 3b 20  Windows NT 5.1;
> 0090   72 75 3b 20 72 76 3a 31 2e 39 2e 31 2e 34 29 20  ru; rv:1.9.1.4)
> 00a0   47 65 63 6b 6f 2f 32 30 30 39 31 30 31 36 20 46  Gecko/20091016 F
> 00b0   69 72 65 66 6f 78 2f 33 2e 35 2e 34 0d 0a 43 6f  irefox/3.5.4..Co
> 00c0   6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d  nnection: close.
> 00d0   0a 0d 0a                                         ...
> 
> Response:
> 0000   48 54 54 50 2f 31 2e 30 20 32 30 30 20 4f 4b 0d  HTTP/1.0 200 OK.
> 0010   0a 43 6f 6e 6e 65 63 74 69 6f 6e 3a 20 63 6c 6f  .Connection: clo
> 0020   73 65 0d 0a 58 2d 50 6f 77 65 72 65 64 2d 42 79  se..X-Powered-By
> 0030   3a 20 50 48 50 2f 35 2e 32 2e 36 2d 31 2b 6c 65  : PHP/5.2.6-1+le
> 0040   6e 6e 79 38 0d 0a 50 72 61 67 6d 61 3a 20 6e 6f  nny8..Pragma: no
> 0050   2d 63 61 63 68 65 0d 0a 45 78 70 69 72 65 73 3a  -cache..Expires:
> 0060   20 30 0d 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65   0..Content-type
> 0070   3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 44 61 74  : text/html..Dat
> 0080   65 3a 20 4d 6f 6e 2c 20 32 35 20 4f 63 74 20 32  e: Mon, 25 Oct 2
> 0090   30 31 30 20 31 35 3a 31 36 3a 33 30 20 47 4d 54  010 15:16:30 GMT
> 00a0   0d 0a 53 65 72 76 65 72 3a 20 6c 69 67 68 74 74  ..Server: lightt
> 00b0   70 64 2f 31 2e 34 2e 31 39 0d 0a 0d 0a           pd/1.4.19....
> 
> 
> Kind of interesting about the request is that we may be able to sig on 
> the user-agent. It has the "ru;" in there for the language which should 
> make it easy to detect for us non Russians (sorry guys). Maybe something 
> that looks for ru; firefox user-agents?
> 
> -- Eoin
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list