[Emerging-Sigs] Strange UDP Trojan check-in

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 4 23:14:59 EDT 2011


Also posting.

We're going to dig further into the samples in our sandnet. (Apologies for being behind on the thread, lots of other things this week as well in the malware world!)

Matt


On Oct 4, 2011, at 6:11 PM, Kevin Ross wrote:

> And a quick one for the POST.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Variant Post to CnC Server"; flow:established,to_server; content:"POST"; http_method; content:"/gameover2.php"; http_uri; classtype:trojan-activity; sid:1349991; rev:1;)
> 
> Kev
> 
> On 4 October 2011 21:38, Martin Holste <mcholste at gmail.com> wrote:
> I sat down and finally got familiar with all of the byte_* operators,
> and I think this one will work the best (confirmed against pcap):
> 
> alert udp $HOME_NET any -> $EXTERNAL_NET !53 (msg:"ET TROJAN ZeuS P2P
> Communication"; byte_extract:4,63,padding; byte_test:4,=,padding,67;
> dsize:72; sid:1; rev:1;)
> 
> This checks that the UDP payload is exactly 72 bytes and that the
> bytes 63-66 match bytes 67-71 (eight bytes in a row that are
> identical).  It should be pretty accurate and very fast.  I put in the
> not DNS port there since only high ports are used and this should make
> the load essentially non-existent.  That should also alleviate FP's,
> though I doubt there will be many if any.
> 
> On Tue, Oct 4, 2011 at 3:13 PM, Nathan <nathan at packetmail.net> wrote:
> > On Tue, 4 Oct 2011 13:20:17 -0500 Martin Holste <mcholste at gmail.com> wrote
> >
> >> Does anyone have some advice on a signature for the UDP last nine bytes?
> >
> > Here is my attempt, caveat, it may not even run, I'm shooting from the hip for
> > discussion.  The PCRE back reference should be good to match the last 9 bytes
> > repeating, until end of string.  I feel good about the PCRE.
> >
> > The dsize and byte_jump are suspect, dsize should be ok it's byte_jump and
> > doe_ptr with respect to PCRE /R that I'm unsure about.
> >
> > Do we need to adjust dsize for UDP header size?
> > Does doe_ptr become relative to PCRE /R?  If not, we need to drop it.
> > Do we also need the /O flag for PCRE?
> >
> > I believe /B is needed as is /s but I am open to correction.
> >
> > #Does 1023: here make sense?
> > alert udp $HOME_NET 1023: -> $EXTERNAL_NET 1023: (msg:"ET CURRENT_EVENTS ZeuS
> > P2P Communication over UDP"; dize:114; byte_jump:1,70; pcre:"/(.)\1{8}$/BRs";
> > classtype:trojan-activity; sid:x; rev:1;)
> >
> > PCRE version 8.02 2010-03-19
> >
> >  re> /(.)\1{8}$/
> > data> abcdefghi
> > No match
> > data> aaaaaaaaa
> >  0: aaaaaaaaa
> >  1: a
> > data> aaabbaaaa
> > No match
> > data> hoorayaaaaaaaaa
> >  0: aaaaaaaaa
> >  1: a
> > data>
> >
> > Thanks,
> > Nathan
> >
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/1e6806d4/smime.bin


More information about the Emerging-sigs mailing list