[Emerging-Sigs] W32.Duqu

Jaime Blasco jaime.blasco at alienvault.com
Tue Oct 18 14:01:04 EDT 2011


Hi,

As many of you will know, Symantec has just published a report about
W32.Duqu:

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

They claim that it's the new Stuxnet because a lot of code has been shared
between Stuxnet and W32.Duqu. Draw your own conclusions after reading the
report.

Anyway, with the information we have it's difficult to write a rule, we have
two different channels, 443 that uses a binary protocol and HTTP.

For HTTP, the report says that the following request is made to the C&C:

POST / HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
Content-Type: multipart/form-data;
boundary=---------------------------77eb5cc2cc0add
Cookie: PHPSESSID=<some id removed here>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9)
Gecko/20100824 Firefox/3.6.9 (.NET
CLR 3.5.30729)
Content-Length: 891
Host: 206.[REMOVED].97
---------------------------<some id>
Content-Disposition: form-data; name="DSC00001.jpg"
Content-Type: image/jpeg
......JFIF.....`.`.....C.........................................
...
.........
.........C.......................................................................6.6.."....................
..................
.....................}........!1A..Qa."q.2....#B...R..$3br..
.....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.........................................................
...............................................
.....................w.......!1..AQ.aq."2...B.....#3R..br.
.$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwx

The report also says that the user-agent us hardcoded as well as the name of
the "file" being transmitted ("DSC00001.jpg").

With this information I think we can write the following rule and wait to
see if we have a match or we can obtain a binary/pcap to improve it:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
W32.DUQU detected"; flow: to_server,established; content:"User-Agent|3a|
Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv:1.9.2.9)
Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; nocase; http_header;
content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|";
nocase; http_header; reference:url,
www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf;
classtype:policy-violation; sid:111111; rev:1;)


Best Regards


-- 
_______________________________

Jaime Blasco

www.ossim.com
www.alienvault.com
Email: jaime.blasco at alienvault.com

http://twitter.com/jaimeblascob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111018/d0b36f56/attachment.html


More information about the Emerging-sigs mailing list