[Emerging-Sigs] Strange UDP Trojan check-in

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 4 23:13:43 EDT 2011


Posted!


On Oct 4, 2011, at 6:11 PM, Kevin Ross wrote:

> And a quick one for the POST.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Variant Post to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/gameover2.php"; http_uri; classtype:trojan-activity; sid:1349991; rev:1;)
> 
> Kev
> 
> On 4 October 2011 21:38, Martin Holste <mcholste at gmail.com> wrote:
> I sat down and finally got familiar with all of the byte_* operators,
> and I think this one will work the best (confirmed against pcap):
> 
> alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
> Communication"; byte_extract:4,63,padding; byte_test:4,=,padding,67;
> dsize:72; sid:1; rev:1;)
> 
> This checks that the UDP payload is exactly 72 bytes and that the
> bytes 63-66 match bytes 67-71 (eight bytes in a row that are
> identical).  It should be pretty accurate and very fast.  I put in the
> not DNS port there since only high ports are used and this should make
> the load essentially non-existent.  That should also alleviate FP's,
> though I doubt there will be many if any.
> 
> On Tue, Oct 4, 2011 at 3:13 PM, Nathan <nathan at packetmail.net> wrote:
> > On Tue, 4 Oct 2011 13:20:17 -0500 Martin Holste <mcholste at gmail.com> wrote
> >
> >> Does anyone have some advice on a signature for the UDP last nine bytes?
> >
> > Here is my attempt, caveat, it may not even run, I'm shooting from the hip for
> > discussion.  The PCRE back reference should be good to match the last 9 bytes
> > repeating, until end of string.  I feel good about the PCRE.
> >
> > The dsize and byte_jump are suspect, dsize should be ok it's byte_jump and
> > doe_ptr with respect to PCRE /R that I'm unsure about.
> >
> > Do we need to adjust dsize for UDP header size?
> > Does doe_ptr become relative to PCRE /R?  If not, we need to drop it.
> > Do we also need the /O flag for PCRE?
> >
> > I believe /B is needed as is /s but I am open to correction.
> >
> > #Does 1023: here make sense?
> > alert udp $HOME_NET 1023: -> $EXTERNAL_NET 1023: (msg:"ET CURRENT_EVENTS ZeuS
> > P2P Communication over UDP"; dize:114; byte_jump:1,70; pcre:"/(.)\1{8}$/BRs";
> > classtype:trojan-activity; sid:x; rev:1;)
> >
> > PCRE version 8.02 2010-03-19
> >
> >  re> /(.)\1{8}$/
> > data> abcdefghi
> > No match
> > data> aaaaaaaaa
> >  0: aaaaaaaaa
> >  1: a
> > data> aaabbaaaa
> > No match
> > data> hoorayaaaaaaaaa
> >  0: aaaaaaaaa
> >  1: a
> > data>
> >
> > Thanks,
> > Nathan
> >
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/6cee010f/smime-0001.bin


More information about the Emerging-sigs mailing list