[Emerging-Sigs] Win32/Pasta Downloader: False-Positives or Real Threat

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 11 06:34:05 EDT 2011


That's a great change, thanks Gary. Pedro, can you get that posted?

Thanks Gary!

Matt


On Oct 7, 2011, at 4:07 PM, Gary LeMontesque III wrote:

> Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:3; )
> 
> 
> Issue:
> We are receiving a high level of false positives because of image beaconing from MSN & Google Analytics.
> 
>      MSN triggers GET:   /c.gif?
>      Google triggers GET:   __utm.gif?
> 
> How can the rule be modified to exclude that content in the GET string if it comes from the IPs in question?
> 
> 
> Possible Rule Modification:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase; http_uri; content:!"c.gif?"; nocase; http_uri; content:"__utm.gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:3; )
> 
> 
> Packet Data:
> 00 1b 17 00 01 11 58 8d 09 c9 9c 44 08 00 45 00
> 05 25 b4 cf 00 00 3f 06 5e b7 0a 25 1a d5 41 37
> fd 1b 4c 9c 00 50 af 0f 35 e1 e5 22 8d d9 80 18
> ff ff 5c f1 00 00 01 01 08 0a 57 15 02 fa de ed
> cf 2f 47 45 54 20 2f 63 2e 67 69 66 3f 64 76 2e
> 43 6f 6e 74 6e 74 54 70 3d 76 69 64 65 6f 26 64
> 76 2e 70 74 69 3d 36 30 26 64 76 2e 74 76 6c 3d
> 36 38 39 26 64 76 2e 76 66 6f 72 6d 3d 73 68 6f
> 72 74 26 64 76 2e 70 79 6c 3d 6d 73 6e 62 63 26
> 64 76 2e 61 70 67 3d 4d 53 56 4e 50 44 26 64 76
> 2e 66 72 62 3d 26 6d 6b 3d 65 6e 2d 75 73 26 26
> 73 74 2e 64 70 74 3d 6d 73 6e 62 63 26 73 74 2e
> 73 64 70 74 3d 74 68 65 6c 61 73 74 77 6f 72 64
> 26 73 74 2e 73 65 63 3d 33 32 33 65 30 35 64 61
> 2d 65 38 64 38 2d 34 63 36 37 2d 38 32 32 35 2d
> 38 36 35 64 66 62 35 39 33 66 33 36 26 73 74 2e
> 73 73 65 63 3d 6e 5f 6c 77 5f 30 34 66 69 6e 65
> 5f 31 31 31 30 30 35 26 68 6c 3d 49 6d 70 61 63
> 74 25 32 30 6f 66 25 32 30 53 74 65 76 65 25 32
> 30 4a 6f 62 73 25 32 30 6f 6e 25 32 30 74 65 63
> 68 6e 6f 6c 6f 67 79 26 70 6e 3d 6e 5f 6c 77 5f
> 30 34 66 69 6e 65 5f 31 31 31 30 30 35 26 64 69
> 3d 31 35 37 35 35 26 63 74 73 3d 31 33 31 38 30
> 30 30 31 33 39 34 35 30 26 72 69 64 3d 31 63 66
> 64 31 38 39 36 32 30 38 34 33 36 61 64 38 36 65
> 30 34 37 64 32 65 31 66 32 65 39 32 66 26 65 76
> 74 3d 63 6f 6e 74 65 6e 74 63 6f 6e 74 69 6e 75
> 65 26 63 75 3d 68 74 74 70 3a 2f 2f 77 77 77 2e
> 6d 73 6e 62 63 2e 6d 73 6e 2e 63 6f 6d 2f 69 64
> 2f 32 31 31 33 34 35 34 30 2f 76 70 2f 34 34 37
> 39 38 34 33 30 5f 34 34 37 39 38 34 33 30 26 72
> 66 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f
> 67 6c 65 2e 63 6f 6d 2f 75 72 6c 3f 75 72 6c 3d
> 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 73 6e 62 63
> 2e 6d 73 6e 2e 63 6f 6d 2f 69 64 2f 32 31 31 33
> 34 35 34 30 2f 76 70 2f 34 34 37 39 38 34 33 30
> 25 32 35 32 35 32 33 34 34 37 39 38 34 33 30 5f
> 72 63 74 3d 6a 5f 73 61 3d 58 5f 63 74 62 6d 3d
> 76 69 64 5f 65 69 3d 64 68 43 50 54 73 7a 75 4f
> 4d 61 48 73 67 4b 7a 39 4d 6d 63 41 51 5f 76 65
> 64 3d 30 43 46 30 51 75 41 49 77 41 77 5f 71 3d
> 73 74 65 76 65 2b 6a 6f 62 73 5f 75 73 67 3d 41
> 46 51 6a 43 4e 46 68 6f 52 61 53 43 31 44 32 4b
> 37 32 44 52 61 44 44 47 63 50 70 55 79 69 6e 77
> 41 26 64 76 2e 70 6c 74 3d 6d 73 6e 62 63 26 64
> 76 2e 74 73 3d 32 30 31 31 2d 31 30 2d 30 38 54
> 31 35 3a 30 38 3a 35 39 5a 26 64 76 2e 7a 69 70
> 3d 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74
> 3a 20 75 64 63 2e 6d 73 6e 2e 63 6f 6d 0d 0a 55
> 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c
> 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20
> 4e 54 20 35 2e 32 3b 20 57 4f 57 36 34 3b 20 72
> 76 3a 37 2e 30 2e 31 29 20 47 65 63 6b 6f 2f 32
> 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f
> 37 2e 30 2e 31 0d 0a 41 63 63 65 70 74 3a 20 74
> 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c 69 63 61
> 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c 61
> 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d 6c 3b 71
> 3d 30 2e 39 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a
> 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a
> 20 65 6e 2d 75 73 2c 65 6e 3b 71 3d 30 2e 35 0d
> 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67
> 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d
> 0a 41 63 63 65 70 74 2d 43 68 61 72 73 65 74 3a
> 20 49 53 4f 2d 38 38 35 39 2d 31 2c 75 74 66 2d
> 38 3b 71 3d 30 2e 37 2c 2a 3b 71 3d 30 2e 37 0d
> 0a 43 6f 6f 6b 69 65 3a 20 73 5f 76 73 6e 5f 6d
> 73 6e 62 63 6f 6d 5f 31 3d 31 36 38 31 35 33 38
> 30 33 38 37 35 36 3b 20 43 55 4c 54 55 52 45 3d
> 45 4e 2d 55 53 3b 20 5f 5f 71 63 61 3d 31 31 39
> 37 33 38 34 36 32 38 2d 35 37 30 38 39 35 36 32
> 2d 37 30 34 39 33 39 32 31 3b 20 6d 68 3d 4d 53
> 46 54 3b 20 4d 55 49 44 3d 42 43 42 34 32 41 34
> 31 31 41 43 45 34 35 45 39 42 35 33 31 46 38 45
> 31 32 32 41 44 32 38 46 30 3b 20 4d 43 31 3d 56
> 3d 33 26 47 55 49 44 3d 61 61 32 66 35 38 38 39
> 64 66 63 37 34 63 61 34 39 30 36 65 30 39 63 65
> 32 65 62 61 35 34 61 66 3b 20 4d 48 3d 4d 53 46
> 54 3b 20 73 6c 69 64 65 73 68 6f 77 3d 41 3a 30
> 3b 20 53 61 6d 70 6c 65 3d 37 39 0d 0a 43 61 63
> 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6d 61 78 2d
> 73 74 61 6c 65 3d 30 0d 0a 43 6f 6e 6e 65 63 74
> 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d
> 0a 0d 0a
> 
> ......X....D..E.
> .%....?.^..%..A7
> ..L..P..5.."....
> ..\.......W.....
> ./GET /c.gif?dv.
> ContntTp=video&d
> v.pti=60&dv.tvl=
> 689&dv.vform=sho
> rt&dv.pyl=msnbc&
> dv.apg=MSVNPD&dv
> .frb=&mk=en-us&&
> st.dpt=msnbc&st.
> sdpt=thelastword
> &st.sec=323e05da
> -e8d8-4c67-8225-
> 865dfb593f36&st.
> ssec=n_lw_04fine
> _111005&hl=Impac
> t%20of%20Steve%2
> 0Jobs%20on%20tec
> hnology&pn=n_lw_
> 04fine_111005&di
> =15755&cts=13180
> 00139450&rid=1cf
> d1896208436ad86e
> 047d2e1f2e92f&ev
> t=contentcontinu
> e&cu=http://www.
> msnbc.msn.com/id
> /21134540/vp/447
> 98430_44798430&r
> f=http://www.goo
> gle.com/url?url=
> http://www.msnbc
> .msn.com/id/2113
> 4540/vp/44798430
> %25252344798430_
> rct=j_sa=X_ctbm=
> vid_ei=dhCPTszuO
> MaHsgKz9MmcAQ_ve
> d=0CF0QuAIwAw_q=
> steve+jobs_usg=A
> FQjCNFhoRaSC1D2K
> 72DRaDDGcPpUyinw
> A&dv.plt=msnbc&d
> v.ts=2011-10-08T
> 15:08:59Z&dv.zip
> = HTTP/1.1..Host
> : udc.msn.com..U
> ser-Agent: Mozil
> la/5.0 (Windows 
> NT 5.2; WOW64; r
> v:7.0.1) Gecko/2
> 0100101 Firefox/
> 7.0.1..Accept: t
> ext/html,applica
> tion/xhtml+xml,a
> pplication/xml;q
> =0.9,*/*;q=0.8..
> Accept-Language:
> en-us,en;q=0.5.
> .Accept-Encoding
> : gzip, deflate.
> .Accept-Charset:
> ISO-8859-1,utf-
> 8;q=0.7,*;q=0.7.
> .Cookie: s_vsn_m
> snbcom_1=1681538
> 038756; CULTURE=
> EN-US; __qca=119
> 7384628-57089562
> -70493921; mh=MS
> FT; MUID=BCB42A4
> 11ACE45E9B531F8E
> 122AD28F0; MC1=V
> =3&GUID=aa2f5889
> dfc74ca4906e09ce
> 2eba54af; MH=MSF
> T; slideshow=A:0
> ; Sample=79..Cac
> he-Control: max-
> stale=0..Connect
> ion: Keep-Alive.
> ...
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list