[Emerging-Sigs] Proposed signature for SSL C&C badness seen in Sep 2011 like 'My Company Ltd'

Martin Holste mcholste at gmail.com
Thu Oct 20 17:07:43 EDT 2011


Yep, seeing this one as well.  We have a Bro alert for any SSL coming
through with "berkshire" in it, which has nabbed several of these thus
far.  "berkshire hathaway" is new, previously the cert issuer had
nothing to do with "hathaway," but both certs hailed from Berkshire,
GB, which was odd.  Both used "admin at common" and no other certs have
used that.  They always check into 88.80.13.119 (*.trackerud.com) and
so far we've been picking them up on the DNS TXT record queries caught
by "ET TROJAN TR/Spy.gen ..." sid 2013516.

On Thu, Oct 20, 2011 at 3:19 PM, Nathan <nathan at packetmail.net> wrote:
> Here is more fun that reminds me very much of sid:2013703 and the thread at
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015907.html
>
> Same evil host, caught a box calling out, SSL cert is now changed,
> recommending this signature:
>
> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> Suspicious Self Signed SSL Certificate CN of 'common' could be SSL C&C";
> flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7;
> content:"common1|1b|0"; classtype:bad-unknown; sid:x; rev:1;)
>
> I have not been able to identify the root vector of infection I only detected
> the repeated C&C polling attempts that were being blocked by our IDS gear.
>
> 15:11:46.871066 IP 88.80.13.119.443 > RFC_1918.34532
>        0x0000:  4500 0444 16aa 4000 2406 4598 5850 0d77  E..D.. at .$.E.XP.w
>        0x0010:  0ad8 85d3 01bb 86e4 9992 5626 96bf f1b5  ..........V&....
>        0x0020:  8018 000c 44a7 0000 0101 080a 012e 4090  ....D......... at .
>        0x0030:  1356 a6af 1603 0000 4a02 0000 4603 004e  .V......J...F..N
>        0x0040:  a080 80c6 2e53 03d8 1762 2043 c169 6ca4  .....S...b.C.il.
>        0x0050:  cc64 a4a5 05c1 9ea7 61f5 e22c 75fd 5f20  .d......a..,u._.
>        0x0060:  0104 f700 ff97 f322 8ce6 514d 97f0 c5c3  ......."..QM....
>        0x0070:  b9d8 a835 fd66 c66d 700e 0152 2e13 eeb7  ...5.f.mp..R....
>        0x0080:  002f 0016 0300 03b3 0b00 03af 0003 ac00  ./..............
>        0x0090:  03a9 3082 03a5 3082 030e a003 0201 0202  ..0...0.........
>        0x00a0:  0900 b86d a268 a0af 59ac 300d 0609 2a86  ...m.h..Y.0...*.
>        0x00b0:  4886 f70d 0101 0505 0030 8194 310b 3009  H........0..1.0.
>        0x00c0:  0603 5504 0613 0247 4231 1230 1006 0355  ..U....GB1.0...U
>        0x00d0:  0408 1309 4265 726b 7368 6972 6531 1030  ....Berkshire1.0
>        0x00e0:  0e06 0355 0407 1307 4e65 7762 7572 7931  ...U....Newbury1
>        0x00f0:  1f30 1d06 0355 040a 1316 6265 726b 7368  .0...U....berksh
>        0x0100:  6972 6520 6861 7468 6177 6179 206c 7464  ire.hathaway.ltd
>        0x0110:  3110 300e 0603 5504 0b13 076e 6577 6275  1.0...U....newbu
>        0x0120:  7279 310f 300d 0603 5504 0313 0663 6f6d  ry1.0...U....com
>        0x0130:  6d6f 6e31 1b30 1906 092a 8648 86f7 0d01  mon1.0...*.H....
>        0x0140:  0901 160c 6164 6d69 6e40 636f 6d6d 6f6e  ....admin at common
>        0x0150:  301e 170d 3131 3130 3037 3230 3233 3039  0...111007202309
>        0x0160:  5a17 0d31 3430 3730 3332 3032 3330 395a  Z..140703202309Z
>        0x0170:  3081 9431 0b30 0906 0355 0406 1302 4742  0..1.0...U....GB
>        0x0180:  3112 3010 0603 5504 0813 0942 6572 6b73  1.0...U....Berks
>        0x0190:  6869 7265 3110 300e 0603 5504 0713 074e  hire1.0...U....N
>        0x01a0:  6577 6275 7279 311f 301d 0603 5504 0a13  ewbury1.0...U...
>        0x01b0:  1662 6572 6b73 6869 7265 2068 6174 6861  .berkshire.hatha
>        0x01c0:  7761 7920 6c74 6431 1030 0e06 0355 040b  way.ltd1.0...U..
>        0x01d0:  1307 6e65 7762 7572 7931 0f30 0d06 0355  ..newbury1.0...U
>        0x01e0:  0403 1306 636f 6d6d 6f6e 311b 3019 0609  ....common1.0...
>        0x01f0:  2a86 4886 f70d 0109 0116 0c61 646d 696e  *.H........admin
>        0x0200:  4063 6f6d 6d6f 6e30 819f 300d 0609 2a86  @common0..0...*.
>        0x0210:  4886 f70d 0101 0105 0003 818d 0030 8189  H............0..
>        0x0220:  0281 8100 c7eb e410 0950 31da 70b7 0e03  .........P1.p...
>        0x0230:  4555 a053 ef2d 6aa5 56f3 4ec3 b4fd a465  EU.S.-j.V.N....e
>        0x0240:  6d0b 6e8a 7025 6b76 5af2 7de0 b4a7 b299  m.n.p%kvZ.}.....
>        0x0250:  6c78 ef8c 3c00 ec7b 5a1c b488 0a53 62ba  lx..<..{Z....Sb.
>        0x0260:  bb97 032b 719f b3d4 60f6 7337 1383 d486  ...+q...`.s7....
>        0x0270:  9ee4 fa15 5b2c 0129 61c2 14fc 74f3 d2c9  ....[,.)a...t...
>        0x0280:  1e75 afc3 25fc c261 5b21 ca68 f920 b421  .u..%..a[!.h...!
>        0x0290:  cf6a 5629 29db 8316 5c23 a951 c7cb 734f  .jV))...\#.Q..sO
>        0x02a0:  a31c 0183 0203 0100 01a3 81fc 3081 f930  ............0..0
>        0x02b0:  1d06 0355 1d0e 0416 0414 f023 3fcf 86ed  ...U.......#?...
>        0x02c0:  38b1 6795 4d1c 9a12 189a 17d5 f49e 3081  8.g.M.........0.
>        0x02d0:  c906 0355 1d23 0481 c130 81be 8014 f023  ...U.#...0.....#
>        0x02e0:  3fcf 86ed 38b1 6795 4d1c 9a12 189a 17d5  ?...8.g.M.......
>        0x02f0:  f49e a181 9aa4 8197 3081 9431 0b30 0906  ........0..1.0..
>        0x0300:  0355 0406 1302 4742 3112 3010 0603 5504  .U....GB1.0...U.
>        0x0310:  0813 0942 6572 6b73 6869 7265 3110 300e  ...Berkshire1.0.
>        0x0320:  0603 5504 0713 074e 6577 6275 7279 311f  ..U....Newbury1.
>        0x0330:  301d 0603 5504 0a13 1662 6572 6b73 6869  0...U....berkshi
>        0x0340:  7265 2068 6174 6861 7761 7920 6c74 6431  re.hathaway.ltd1
>        0x0350:  1030 0e06 0355 040b 1307 6e65 7762 7572  .0...U....newbur
>        0x0360:  7931 0f30 0d06 0355 0403 1306 636f 6d6d  y1.0...U....comm
>        0x0370:  6f6e 311b 3019 0609 2a86 4886 f70d 0109  on1.0...*.H.....
>        0x0380:  0116 0c61 646d 696e 4063 6f6d 6d6f 6e82  ...admin at common.
>        0x0390:  0900 b86d a268 a0af 59ac 300c 0603 551d  ...m.h..Y.0...U.
>        0x03a0:  1304 0530 0301 01ff 300d 0609 2a86 4886  ...0....0...*.H.
>        0x03b0:  f70d 0101 0505 0003 8181 007e a153 b752  ...........~.S.R
>        0x03c0:  590d 8fc1 f039 a471 a9f4 5304 bb86 f843  Y....9.q..S....C
>        0x03d0:  0876 3acc c0a2 825a 8c49 4ccd 6e17 dec1  .v:....Z.IL.n...
>        0x03e0:  43ef b4f4 fa57 9105 2393 eb16 fcf1 c916  C....W..#.......
>        0x03f0:  0e24 4920 b0b2 66af 2284 1282 23f9 6683  .$I...f."...#.f.
>        0x0400:  a573 e79a efb1 c1f2 99a1 7f89 34ca 9a6d  .s..........4..m
>        0x0410:  69d0 d2a2 58f4 d876 d4e5 5595 4fa5 18a3  i...X..v..U.O...
>        0x0420:  7c02 c403 fa3a 5f1d 5e2f bda2 9e77 755d  |....:_.^/...wu]
>        0x0430:  85d2 4fdf 23e8 dd16 fe26 4816 0300 0004  ..O.#....&H.....
>        0x0440:  0e00 0000                                ....
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list