[Emerging-Sigs] Win32/Pasta Downloader: False-Positives or Real Threat

Gary LeMontesque III spinnaker717 at gmail.com
Fri Oct 7 16:07:35 EDT 2011


*Rule:* alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32/Pasta Downloader - GET Checkin to Fake GIF";
flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase;
http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri;
content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri;
classtype:trojan-activity; reference:url,
malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,
doc.emergingthreats.net/2009522; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta;
sid:2009522; rev:3; )


*Issue:*
We are receiving a high level of false positives because of image beaconing
from MSN & Google Analytics.

     MSN triggers GET:   /c.gif?
     Google triggers GET:   __utm.gif?

How can the rule be modified to exclude that content in the GET string if it
comes from the IPs in question?


*Possible Rule Modification:*
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32/Pasta Downloader - GET Checkin to Fake GIF";
flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase;
http_uri; *content:!"c.gif?"; nocase; http_uri; content:"__utm.gif?";
nocase; http_uri;* content:"t="; nocase; http_uri; content:"q="; nocase;
http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri;
classtype:trojan-activity; reference:url,
malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,
doc.emergingthreats.net/2009522; reference:url,
www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta;
sid:2009522; rev:3; )

*
Packet Data:*
00 1b 17 00 01 11 58 8d 09 c9 9c 44 08 00 45 00
05 25 b4 cf 00 00 3f 06 5e b7 0a 25 1a d5 41 37
fd 1b 4c 9c 00 50 af 0f 35 e1 e5 22 8d d9 80 18
ff ff 5c f1 00 00 01 01 08 0a 57 15 02 fa de ed
cf 2f 47 45 54 20 2f 63 2e 67 69 66 3f 64 76 2e
43 6f 6e 74 6e 74 54 70 3d 76 69 64 65 6f 26 64
76 2e 70 74 69 3d 36 30 26 64 76 2e 74 76 6c 3d
36 38 39 26 64 76 2e 76 66 6f 72 6d 3d 73 68 6f
72 74 26 64 76 2e 70 79 6c 3d 6d 73 6e 62 63 26
64 76 2e 61 70 67 3d 4d 53 56 4e 50 44 26 64 76
2e 66 72 62 3d 26 6d 6b 3d 65 6e 2d 75 73 26 26
73 74 2e 64 70 74 3d 6d 73 6e 62 63 26 73 74 2e
73 64 70 74 3d 74 68 65 6c 61 73 74 77 6f 72 64
26 73 74 2e 73 65 63 3d 33 32 33 65 30 35 64 61
2d 65 38 64 38 2d 34 63 36 37 2d 38 32 32 35 2d
38 36 35 64 66 62 35 39 33 66 33 36 26 73 74 2e
73 73 65 63 3d 6e 5f 6c 77 5f 30 34 66 69 6e 65
5f 31 31 31 30 30 35 26 68 6c 3d 49 6d 70 61 63
74 25 32 30 6f 66 25 32 30 53 74 65 76 65 25 32
30 4a 6f 62 73 25 32 30 6f 6e 25 32 30 74 65 63
68 6e 6f 6c 6f 67 79 26 70 6e 3d 6e 5f 6c 77 5f
30 34 66 69 6e 65 5f 31 31 31 30 30 35 26 64 69
3d 31 35 37 35 35 26 63 74 73 3d 31 33 31 38 30
30 30 31 33 39 34 35 30 26 72 69 64 3d 31 63 66
64 31 38 39 36 32 30 38 34 33 36 61 64 38 36 65
30 34 37 64 32 65 31 66 32 65 39 32 66 26 65 76
74 3d 63 6f 6e 74 65 6e 74 63 6f 6e 74 69 6e 75
65 26 63 75 3d 68 74 74 70 3a 2f 2f 77 77 77 2e
6d 73 6e 62 63 2e 6d 73 6e 2e 63 6f 6d 2f 69 64
2f 32 31 31 33 34 35 34 30 2f 76 70 2f 34 34 37
39 38 34 33 30 5f 34 34 37 39 38 34 33 30 26 72
66 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f
67 6c 65 2e 63 6f 6d 2f 75 72 6c 3f 75 72 6c 3d
68 74 74 70 3a 2f 2f 77 77 77 2e 6d 73 6e 62 63
2e 6d 73 6e 2e 63 6f 6d 2f 69 64 2f 32 31 31 33
34 35 34 30 2f 76 70 2f 34 34 37 39 38 34 33 30
25 32 35 32 35 32 33 34 34 37 39 38 34 33 30 5f
72 63 74 3d 6a 5f 73 61 3d 58 5f 63 74 62 6d 3d
76 69 64 5f 65 69 3d 64 68 43 50 54 73 7a 75 4f
4d 61 48 73 67 4b 7a 39 4d 6d 63 41 51 5f 76 65
64 3d 30 43 46 30 51 75 41 49 77 41 77 5f 71 3d
73 74 65 76 65 2b 6a 6f 62 73 5f 75 73 67 3d 41
46 51 6a 43 4e 46 68 6f 52 61 53 43 31 44 32 4b
37 32 44 52 61 44 44 47 63 50 70 55 79 69 6e 77
41 26 64 76 2e 70 6c 74 3d 6d 73 6e 62 63 26 64
76 2e 74 73 3d 32 30 31 31 2d 31 30 2d 30 38 54
31 35 3a 30 38 3a 35 39 5a 26 64 76 2e 7a 69 70
3d 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74
3a 20 75 64 63 2e 6d 73 6e 2e 63 6f 6d 0d 0a 55
73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c
6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20
4e 54 20 35 2e 32 3b 20 57 4f 57 36 34 3b 20 72
76 3a 37 2e 30 2e 31 29 20 47 65 63 6b 6f 2f 32
30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f
37 2e 30 2e 31 0d 0a 41 63 63 65 70 74 3a 20 74
65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c 69 63 61
74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c 61
70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d 6c 3b 71
3d 30 2e 39 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a
41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a
20 65 6e 2d 75 73 2c 65 6e 3b 71 3d 30 2e 35 0d
0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67
3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d
0a 41 63 63 65 70 74 2d 43 68 61 72 73 65 74 3a
20 49 53 4f 2d 38 38 35 39 2d 31 2c 75 74 66 2d
38 3b 71 3d 30 2e 37 2c 2a 3b 71 3d 30 2e 37 0d
0a 43 6f 6f 6b 69 65 3a 20 73 5f 76 73 6e 5f 6d
73 6e 62 63 6f 6d 5f 31 3d 31 36 38 31 35 33 38
30 33 38 37 35 36 3b 20 43 55 4c 54 55 52 45 3d
45 4e 2d 55 53 3b 20 5f 5f 71 63 61 3d 31 31 39
37 33 38 34 36 32 38 2d 35 37 30 38 39 35 36 32
2d 37 30 34 39 33 39 32 31 3b 20 6d 68 3d 4d 53
46 54 3b 20 4d 55 49 44 3d 42 43 42 34 32 41 34
31 31 41 43 45 34 35 45 39 42 35 33 31 46 38 45
31 32 32 41 44 32 38 46 30 3b 20 4d 43 31 3d 56
3d 33 26 47 55 49 44 3d 61 61 32 66 35 38 38 39
64 66 63 37 34 63 61 34 39 30 36 65 30 39 63 65
32 65 62 61 35 34 61 66 3b 20 4d 48 3d 4d 53 46
54 3b 20 73 6c 69 64 65 73 68 6f 77 3d 41 3a 30
3b 20 53 61 6d 70 6c 65 3d 37 39 0d 0a 43 61 63
68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6d 61 78 2d
73 74 61 6c 65 3d 30 0d 0a 43 6f 6e 6e 65 63 74
69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d
0a 0d 0a

......X....D..E.
.%....?.^..%..A7
..L..P..5.."....
..\.......W.....
./GET /c.gif?dv.
ContntTp=video&d
v.pti=60&dv.tvl=
689&dv.vform=sho
rt&dv.pyl=msnbc&
dv.apg=MSVNPD&dv
.frb=&mk=en-us&&
st.dpt=msnbc&st.
sdpt=thelastword
&st.sec=323e05da
-e8d8-4c67-8225-
865dfb593f36&st.
ssec=n_lw_04fine
_111005&hl=Impac
t%20of%20Steve%2
0Jobs%20on%20tec
hnology&pn=n_lw_
04fine_111005&di
=15755&cts=13180
00139450&rid=1cf
d1896208436ad86e
047d2e1f2e92f&ev
t=contentcontinu
e&cu=http://www.
msnbc.msn.com/id
/21134540/vp/447
98430_44798430&r
f=http://www.goo
gle.com/url?url=
http://www.msnbc
.msn.com/id/2113
4540/vp/44798430
%25252344798430_
rct=j_sa=X_ctbm=
vid_ei=dhCPTszuO
MaHsgKz9MmcAQ_ve
d=0CF0QuAIwAw_q=
steve+jobs_usg=A
FQjCNFhoRaSC1D2K
72DRaDDGcPpUyinw
A&dv.plt=msnbc&d
v.ts=2011-10-08T
15:08:59Z&dv.zip
= HTTP/1.1..Host
: udc.msn.com..U
ser-Agent: Mozil
la/5.0 (Windows
NT 5.2; WOW64; r
v:7.0.1) Gecko/2
0100101 Firefox/
7.0.1..Accept: t
ext/html,applica
tion/xhtml+xml,a
pplication/xml;q
=0.9,*/*;q=0.8..
Accept-Language:
en-us,en;q=0.5.
.Accept-Encoding
: gzip, deflate.
.Accept-Charset:
ISO-8859-1,utf-
8;q=0.7,*;q=0.7.
.Cookie: s_vsn_m
snbcom_1=1681538
038756; CULTURE=
EN-US; __qca=119
7384628-57089562
-70493921; mh=MS
FT; MUID=BCB42A4
11ACE45E9B531F8E
122AD28F0; MC1=V
=3&GUID=aa2f5889
dfc74ca4906e09ce
2eba54af; MH=MSF
T; slideshow=A:0
; Sample=79..Cac
he-Control: max-
stale=0..Connect
ion: Keep-Alive.
...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111007/3df232ca/attachment.html


More information about the Emerging-sigs mailing list