[Emerging-Sigs] W32.Duqu

Kevin Ross kevross33 at googlemail.com
Wed Oct 19 04:13:06 EDT 2011


I just posted one of my sigs which detects POSTs of JPEGs

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN POST of
JPEG to External Web Server - Possible Trojan Data Exfiltration/CnC
Technique"; flow:established,to_server; content:"POST"; http_method;
content:"|FF D8 FF E0|"; http_client_body; depth:4; content:"|4A 46 49 46
00|"; distance:2; within:5; classtype:trojan-activity; sid:198371; rev:1;)

Should work ok for this too assuming FPs are ok. Kevin



On 18 October 2011 19:01, Jaime Blasco <jaime.blasco at alienvault.com> wrote:

> Hi,
>
> As many of you will know, Symantec has just published a report about
> W32.Duqu:
>
>
> http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
>
> They claim that it's the new Stuxnet because a lot of code has been shared
> between Stuxnet and W32.Duqu. Draw your own conclusions after reading the
> report.
>
> Anyway, with the information we have it's difficult to write a rule, we
> have two different channels, 443 that uses a binary protocol and HTTP.
>
> For HTTP, the report says that the following request is made to the C&C:
>
> POST / HTTP/1.1
> Cache-Control: no-cache
> Connection: Keep-Alive
> Pragma: no-cache
> Content-Type: multipart/form-data;
> boundary=---------------------------77eb5cc2cc0add
> Cookie: PHPSESSID=<some id removed here>
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.9)
> Gecko/20100824 Firefox/3.6.9 (.NET
> CLR 3.5.30729)
> Content-Length: 891
> Host: 206.[REMOVED].97
> ---------------------------<some id>
> Content-Disposition: form-data; name="DSC00001.jpg"
> Content-Type: image/jpeg
> ......JFIF.....`.`.....C.........................................
> ...
> .........
>
> .........C.......................................................................6.6.."....................
> ..................
> .....................}........!1A..Qa."q.2....#B...R..$3br..
>
> .....%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz.........................................................
> ...............................................
> .....................w.......!1..AQ.aq."2...B.....#3R..br.
> .$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwx
>
> The report also says that the user-agent us hardcoded as well as the name
> of the "file" being transmitted ("DSC00001.jpg").
>
> With this information I think we can write the following rule and wait to
> see if we have a match or we can obtain a binary/pcap to improve it:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> W32.DUQU detected"; flow: to_server,established; content:"User-Agent|3a|
> Mozilla/5.0 (Windows|3b| U|3b| Windows NT 6.0|3b| en-US|3b| rv:1.9.2.9)
> Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; nocase; http_header;
> content:"Content-Disposition|3A| form-data|3b| name=|22|DSC00001.jpg|22|";
> nocase; http_header; reference:url,
> www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf;
> classtype:policy-violation; sid:111111; rev:1;)
>
>
> Best Regards
>
>
> --
> _______________________________
>
> Jaime Blasco
>
> www.ossim.com
> www.alienvault.com
> Email: jaime.blasco at alienvault.com
>
> http://twitter.com/jaimeblascob
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111019/5d6c5ccd/attachment-0001.html


More information about the Emerging-sigs mailing list