[Emerging-Sigs] Unique(?) TDSS User-Agent

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Feb 21 12:51:33 EST 2011


Proxy discussion aside, how about this sig:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS User-Agent CMD3"; flow:established,to_server; content:"CONNECT"; http_method; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 1.0|3b| Windows NT|3b| CMD"; http_header; classtype:trojan-activity; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; sid:2012322; rev:1;)

That'll get it if you are in a proxy env and are redefining your http_ports and external net correctly when loading the http sigs. 

Matt

On Feb 19, 2011, at 1:06 PM, b for bhdresh wrote:

> Hi Michael,
> 
> Thanks for your effort but I guess this signature can give generate false positive as it checks for only HTTP CONNECT method and secondly searches got defined firefox User-agent.
> 
> A normal Proxy traffic having port other than 80 will be get served by HTTP CONNECT method. So, In such cases your signature can generate false positives.
> 
> Correct me if I am wrong.
> 
> Regards,
> -Bhdresh
> 
> 
> On Fri, Feb 18, 2011 at 12:48 AM, "Michael Cox" <michael at mail.wanderingbark.net> wrote:
> Hello. First sig posted to the list, so please help me fill in the gaps.
> 
> Looking at proxy logs for a TDSS infected client, I noticed what appears
> to be a unique UA with some HTTP CONNECT traffic. I found a reference via
> google on the kernelmode forums from last summer, so this isn't anything new.
> 
> The only examples I have seen so far are CONNECT method, so I included that in
> the sig. It may be better to make it a straight user-agent rule though.
> Proposed sig follows.
> 
> Regards,
> Michael
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Possible TDSS User-Agent seen with HTTP CONNECT Traffic";
> flow:established,to_server; content:"CONNECT"; http_method;
> content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 1.0|3b| Windows
> NT|3b| CMD3)"; http_header; classtype:trojan-activity;
> reference:url,http://www.kernelmode.info/forum/viewtopic.php?f=16&t=19;
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20110221/48104fae/attachment-0001.html


More information about the Emerging-sigs mailing list