[Emerging-Sigs] Win32/Pasta Downloader: False-Positives or Real Threat

Victor Julien lists at inliniac.net
Tue Oct 11 12:14:15 EDT 2011


On 10/11/2011 12:34 PM, Matthew Jonkman wrote:
> That's a great change, thanks Gary. Pedro, can you get that posted?

I think replacing "content:"GET"; depth:4;" by "content:"GET";
http_method;" would make sense.

Cheers,
Victor

> Thanks Gary!
> 
> Matt
> 
> 
> On Oct 7, 2011, at 4:07 PM, Gary LeMontesque III wrote:
> 
>> Rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:3; )
>>
>>
>> Issue:
>> We are receiving a high level of false positives because of image beaconing from MSN & Google Analytics.
>>
>>      MSN triggers GET:   /c.gif?
>>      Google triggers GET:   __utm.gif?
>>
>> How can the rule be modified to exclude that content in the GET string if it comes from the IPs in question?
>>
>>
>> Possible Rule Modification:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pasta Downloader - GET Checkin to Fake GIF"; flow:established,to_server; content:"GET"; depth:4; content:".gif?"; nocase; http_uri; content:!"c.gif?"; nocase; http_uri; content:"__utm.gif?"; nocase; http_uri; content:"t="; nocase; http_uri; content:"q="; nocase; http_uri; content:"p="; nocase; http_uri; content:"pn="; nocase; http_uri; classtype:trojan-activity; reference:url,malwarebytes.org/malwarenet.php?name=Trojan.Pasta; reference:url,doc.emergingthreats.net/2009522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pasta; sid:2009522; rev:3; )
>>
>>
>> Packet Data:
>> 00 1b 17 00 01 11 58 8d 09 c9 9c 44 08 00 45 00
>> 05 25 b4 cf 00 00 3f 06 5e b7 0a 25 1a d5 41 37
>> fd 1b 4c 9c 00 50 af 0f 35 e1 e5 22 8d d9 80 18
>> ff ff 5c f1 00 00 01 01 08 0a 57 15 02 fa de ed
>> cf 2f 47 45 54 20 2f 63 2e 67 69 66 3f 64 76 2e
>> 43 6f 6e 74 6e 74 54 70 3d 76 69 64 65 6f 26 64
>> 76 2e 70 74 69 3d 36 30 26 64 76 2e 74 76 6c 3d
>> 36 38 39 26 64 76 2e 76 66 6f 72 6d 3d 73 68 6f
>> 72 74 26 64 76 2e 70 79 6c 3d 6d 73 6e 62 63 26
>> 64 76 2e 61 70 67 3d 4d 53 56 4e 50 44 26 64 76
>> 2e 66 72 62 3d 26 6d 6b 3d 65 6e 2d 75 73 26 26
>> 73 74 2e 64 70 74 3d 6d 73 6e 62 63 26 73 74 2e
>> 73 64 70 74 3d 74 68 65 6c 61 73 74 77 6f 72 64
>> 26 73 74 2e 73 65 63 3d 33 32 33 65 30 35 64 61
>> 2d 65 38 64 38 2d 34 63 36 37 2d 38 32 32 35 2d
>> 38 36 35 64 66 62 35 39 33 66 33 36 26 73 74 2e
>> 73 73 65 63 3d 6e 5f 6c 77 5f 30 34 66 69 6e 65
>> 5f 31 31 31 30 30 35 26 68 6c 3d 49 6d 70 61 63
>> 74 25 32 30 6f 66 25 32 30 53 74 65 76 65 25 32
>> 30 4a 6f 62 73 25 32 30 6f 6e 25 32 30 74 65 63
>> 68 6e 6f 6c 6f 67 79 26 70 6e 3d 6e 5f 6c 77 5f
>> 30 34 66 69 6e 65 5f 31 31 31 30 30 35 26 64 69
>> 3d 31 35 37 35 35 26 63 74 73 3d 31 33 31 38 30
>> 30 30 31 33 39 34 35 30 26 72 69 64 3d 31 63 66
>> 64 31 38 39 36 32 30 38 34 33 36 61 64 38 36 65
>> 30 34 37 64 32 65 31 66 32 65 39 32 66 26 65 76
>> 74 3d 63 6f 6e 74 65 6e 74 63 6f 6e 74 69 6e 75
>> 65 26 63 75 3d 68 74 74 70 3a 2f 2f 77 77 77 2e
>> 6d 73 6e 62 63 2e 6d 73 6e 2e 63 6f 6d 2f 69 64
>> 2f 32 31 31 33 34 35 34 30 2f 76 70 2f 34 34 37
>> 39 38 34 33 30 5f 34 34 37 39 38 34 33 30 26 72
>> 66 3d 68 74 74 70 3a 2f 2f 77 77 77 2e 67 6f 6f
>> 67 6c 65 2e 63 6f 6d 2f 75 72 6c 3f 75 72 6c 3d
>> 68 74 74 70 3a 2f 2f 77 77 77 2e 6d 73 6e 62 63
>> 2e 6d 73 6e 2e 63 6f 6d 2f 69 64 2f 32 31 31 33
>> 34 35 34 30 2f 76 70 2f 34 34 37 39 38 34 33 30
>> 25 32 35 32 35 32 33 34 34 37 39 38 34 33 30 5f
>> 72 63 74 3d 6a 5f 73 61 3d 58 5f 63 74 62 6d 3d
>> 76 69 64 5f 65 69 3d 64 68 43 50 54 73 7a 75 4f
>> 4d 61 48 73 67 4b 7a 39 4d 6d 63 41 51 5f 76 65
>> 64 3d 30 43 46 30 51 75 41 49 77 41 77 5f 71 3d
>> 73 74 65 76 65 2b 6a 6f 62 73 5f 75 73 67 3d 41
>> 46 51 6a 43 4e 46 68 6f 52 61 53 43 31 44 32 4b
>> 37 32 44 52 61 44 44 47 63 50 70 55 79 69 6e 77
>> 41 26 64 76 2e 70 6c 74 3d 6d 73 6e 62 63 26 64
>> 76 2e 74 73 3d 32 30 31 31 2d 31 30 2d 30 38 54
>> 31 35 3a 30 38 3a 35 39 5a 26 64 76 2e 7a 69 70
>> 3d 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 74
>> 3a 20 75 64 63 2e 6d 73 6e 2e 63 6f 6d 0d 0a 55
>> 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f 7a 69 6c
>> 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20
>> 4e 54 20 35 2e 32 3b 20 57 4f 57 36 34 3b 20 72
>> 76 3a 37 2e 30 2e 31 29 20 47 65 63 6b 6f 2f 32
>> 30 31 30 30 31 30 31 20 46 69 72 65 66 6f 78 2f
>> 37 2e 30 2e 31 0d 0a 41 63 63 65 70 74 3a 20 74
>> 65 78 74 2f 68 74 6d 6c 2c 61 70 70 6c 69 63 61
>> 74 69 6f 6e 2f 78 68 74 6d 6c 2b 78 6d 6c 2c 61
>> 70 70 6c 69 63 61 74 69 6f 6e 2f 78 6d 6c 3b 71
>> 3d 30 2e 39 2c 2a 2f 2a 3b 71 3d 30 2e 38 0d 0a
>> 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a
>> 20 65 6e 2d 75 73 2c 65 6e 3b 71 3d 30 2e 35 0d
>> 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 6e 67
>> 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d
>> 0a 41 63 63 65 70 74 2d 43 68 61 72 73 65 74 3a
>> 20 49 53 4f 2d 38 38 35 39 2d 31 2c 75 74 66 2d
>> 38 3b 71 3d 30 2e 37 2c 2a 3b 71 3d 30 2e 37 0d
>> 0a 43 6f 6f 6b 69 65 3a 20 73 5f 76 73 6e 5f 6d
>> 73 6e 62 63 6f 6d 5f 31 3d 31 36 38 31 35 33 38
>> 30 33 38 37 35 36 3b 20 43 55 4c 54 55 52 45 3d
>> 45 4e 2d 55 53 3b 20 5f 5f 71 63 61 3d 31 31 39
>> 37 33 38 34 36 32 38 2d 35 37 30 38 39 35 36 32
>> 2d 37 30 34 39 33 39 32 31 3b 20 6d 68 3d 4d 53
>> 46 54 3b 20 4d 55 49 44 3d 42 43 42 34 32 41 34
>> 31 31 41 43 45 34 35 45 39 42 35 33 31 46 38 45
>> 31 32 32 41 44 32 38 46 30 3b 20 4d 43 31 3d 56
>> 3d 33 26 47 55 49 44 3d 61 61 32 66 35 38 38 39
>> 64 66 63 37 34 63 61 34 39 30 36 65 30 39 63 65
>> 32 65 62 61 35 34 61 66 3b 20 4d 48 3d 4d 53 46
>> 54 3b 20 73 6c 69 64 65 73 68 6f 77 3d 41 3a 30
>> 3b 20 53 61 6d 70 6c 65 3d 37 39 0d 0a 43 61 63
>> 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 6d 61 78 2d
>> 73 74 61 6c 65 3d 30 0d 0a 43 6f 6e 6e 65 63 74
>> 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d
>> 0a 0d 0a
>>
>> ......X....D..E.
>> .%....?.^..%..A7
>> ..L..P..5.."....
>> ..\.......W.....
>> ./GET /c.gif?dv.
>> ContntTp=video&d
>> v.pti=60&dv.tvl=
>> 689&dv.vform=sho
>> rt&dv.pyl=msnbc&
>> dv.apg=MSVNPD&dv
>> .frb=&mk=en-us&&
>> st.dpt=msnbc&st.
>> sdpt=thelastword
>> &st.sec=323e05da
>> -e8d8-4c67-8225-
>> 865dfb593f36&st.
>> ssec=n_lw_04fine
>> _111005&hl=Impac
>> t%20of%20Steve%2
>> 0Jobs%20on%20tec
>> hnology&pn=n_lw_
>> 04fine_111005&di
>> =15755&cts=13180
>> 00139450&rid=1cf
>> d1896208436ad86e
>> 047d2e1f2e92f&ev
>> t=contentcontinu
>> e&cu=http://www.
>> msnbc.msn.com/id
>> /21134540/vp/447
>> 98430_44798430&r
>> f=http://www.goo
>> gle.com/url?url=
>> http://www.msnbc
>> .msn.com/id/2113
>> 4540/vp/44798430
>> %25252344798430_
>> rct=j_sa=X_ctbm=
>> vid_ei=dhCPTszuO
>> MaHsgKz9MmcAQ_ve
>> d=0CF0QuAIwAw_q=
>> steve+jobs_usg=A
>> FQjCNFhoRaSC1D2K
>> 72DRaDDGcPpUyinw
>> A&dv.plt=msnbc&d
>> v.ts=2011-10-08T
>> 15:08:59Z&dv.zip
>> = HTTP/1.1..Host
>> : udc.msn.com..U
>> ser-Agent: Mozil
>> la/5.0 (Windows 
>> NT 5.2; WOW64; r
>> v:7.0.1) Gecko/2
>> 0100101 Firefox/
>> 7.0.1..Accept: t
>> ext/html,applica
>> tion/xhtml+xml,a
>> pplication/xml;q
>> =0.9,*/*;q=0.8..
>> Accept-Language:
>> en-us,en;q=0.5.
>> .Accept-Encoding
>> : gzip, deflate.
>> .Accept-Charset:
>> ISO-8859-1,utf-
>> 8;q=0.7,*;q=0.7.
>> .Cookie: s_vsn_m
>> snbcom_1=1681538
>> 038756; CULTURE=
>> EN-US; __qca=119
>> 7384628-57089562
>> -70493921; mh=MS
>> FT; MUID=BCB42A4
>> 11ACE45E9B531F8E
>> 122AD28F0; MC1=V
>> =3&GUID=aa2f5889
>> dfc74ca4906e09ce
>> 2eba54af; MH=MSF
>> T; slideshow=A:0
>> ; Sample=79..Cac
>> he-Control: max-
>> stale=0..Connect
>> ion: Keep-Alive.
>> ...
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> 
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------



More information about the Emerging-sigs mailing list