[Emerging-Sigs] Proposed signature for SSL CC badness seen in Sep 2011 like 'My Company Ltd'

Nathan nathan at packetmail.net
Thu Oct 20 18:06:44 EDT 2011


Thanks Martin, lets add these two then:

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Suspicious Self Signed SSL Certificate CN of 'common' could be SSL C&C";
flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7;
content:"common1|1b|0"; classtype:bad-unknown; sid:x; rev:1;)

alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Suspicious Self Signed SSL Certificate with 'admin at common' could be SSL C&C";
flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7;
content:"admin at common"; classtype:bad-unknown; sid:x; rev:1;)

On 10/20/11 16:07, Martin Holste wrote:
> Yep, seeing this one as well.  We have a Bro alert for any SSL coming
> through with "berkshire" in it, which has nabbed several of these thus
> far.  "berkshire hathaway" is new, previously the cert issuer had
> nothing to do with "hathaway," but both certs hailed from Berkshire,
> GB, which was odd.  Both used "admin at common" and no other certs have
> used that.  They always check into 88.80.13.119 (*.trackerud.com) and
> so far we've been picking them up on the DNS TXT record queries caught
> by "ET TROJAN TR/Spy.gen ..." sid 2013516.
> 
> On Thu, Oct 20, 2011 at 3:19 PM, Nathan <nathan at packetmail.net> wrote:
>> Here is more fun that reminds me very much of sid:2013703 and the thread at
>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-September/015907.html
>>
>> Same evil host, caught a box calling out, SSL cert is now changed,
>> recommending this signature:
>>
>> alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS
>> Suspicious Self Signed SSL Certificate CN of 'common' could be SSL C&C";
>> flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7;
>> content:"common1|1b|0"; classtype:bad-unknown; sid:x; rev:1;)
>>
>> I have not been able to identify the root vector of infection I only detected
>> the repeated C&C polling attempts that were being blocked by our IDS gear.
>>
>> 15:11:46.871066 IP 88.80.13.119.443 > RFC_1918.34532
>>        0x0000:  4500 0444 16aa 4000 2406 4598 5850 0d77  E..D.. at .$.E.XP.w
>>        0x0010:  0ad8 85d3 01bb 86e4 9992 5626 96bf f1b5  ..........V&....
>>        0x0020:  8018 000c 44a7 0000 0101 080a 012e 4090  ....D......... at .
>>        0x0030:  1356 a6af 1603 0000 4a02 0000 4603 004e  .V......J...F..N
>>        0x0040:  a080 80c6 2e53 03d8 1762 2043 c169 6ca4  .....S...b.C.il.
>>        0x0050:  cc64 a4a5 05c1 9ea7 61f5 e22c 75fd 5f20  .d......a..,u._.
>>        0x0060:  0104 f700 ff97 f322 8ce6 514d 97f0 c5c3  ......."..QM....
>>        0x0070:  b9d8 a835 fd66 c66d 700e 0152 2e13 eeb7  ...5.f.mp..R....
>>        0x0080:  002f 0016 0300 03b3 0b00 03af 0003 ac00  ./..............
>>        0x0090:  03a9 3082 03a5 3082 030e a003 0201 0202  ..0...0.........
>>        0x00a0:  0900 b86d a268 a0af 59ac 300d 0609 2a86  ...m.h..Y.0...*.
>>        0x00b0:  4886 f70d 0101 0505 0030 8194 310b 3009  H........0..1.0.
>>        0x00c0:  0603 5504 0613 0247 4231 1230 1006 0355  ..U....GB1.0...U
>>        0x00d0:  0408 1309 4265 726b 7368 6972 6531 1030  ....Berkshire1.0
>>        0x00e0:  0e06 0355 0407 1307 4e65 7762 7572 7931  ...U....Newbury1
>>        0x00f0:  1f30 1d06 0355 040a 1316 6265 726b 7368  .0...U....berksh
>>        0x0100:  6972 6520 6861 7468 6177 6179 206c 7464  ire.hathaway.ltd
>>        0x0110:  3110 300e 0603 5504 0b13 076e 6577 6275  1.0...U....newbu
>>        0x0120:  7279 310f 300d 0603 5504 0313 0663 6f6d  ry1.0...U....com
>>        0x0130:  6d6f 6e31 1b30 1906 092a 8648 86f7 0d01  mon1.0...*.H....
>>        0x0140:  0901 160c 6164 6d69 6e40 636f 6d6d 6f6e  ....admin at common
>>        0x0150:  301e 170d 3131 3130 3037 3230 3233 3039  0...111007202309
>>        0x0160:  5a17 0d31 3430 3730 3332 3032 3330 395a  Z..140703202309Z
>>        0x0170:  3081 9431 0b30 0906 0355 0406 1302 4742  0..1.0...U....GB
>>        0x0180:  3112 3010 0603 5504 0813 0942 6572 6b73  1.0...U....Berks
>>        0x0190:  6869 7265 3110 300e 0603 5504 0713 074e  hire1.0...U....N
>>        0x01a0:  6577 6275 7279 311f 301d 0603 5504 0a13  ewbury1.0...U...
>>        0x01b0:  1662 6572 6b73 6869 7265 2068 6174 6861  .berkshire.hatha
>>        0x01c0:  7761 7920 6c74 6431 1030 0e06 0355 040b  way.ltd1.0...U..
>>        0x01d0:  1307 6e65 7762 7572 7931 0f30 0d06 0355  ..newbury1.0...U
>>        0x01e0:  0403 1306 636f 6d6d 6f6e 311b 3019 0609  ....common1.0...
>>        0x01f0:  2a86 4886 f70d 0109 0116 0c61 646d 696e  *.H........admin
>>        0x0200:  4063 6f6d 6d6f 6e30 819f 300d 0609 2a86  @common0..0...*.
>>        0x0210:  4886 f70d 0101 0105 0003 818d 0030 8189  H............0..
>>        0x0220:  0281 8100 c7eb e410 0950 31da 70b7 0e03  .........P1.p...
>>        0x0230:  4555 a053 ef2d 6aa5 56f3 4ec3 b4fd a465  EU.S.-j.V.N....e
>>        0x0240:  6d0b 6e8a 7025 6b76 5af2 7de0 b4a7 b299  m.n.p%kvZ.}.....
>>        0x0250:  6c78 ef8c 3c00 ec7b 5a1c b488 0a53 62ba  lx..<..{Z....Sb.
>>        0x0260:  bb97 032b 719f b3d4 60f6 7337 1383 d486  ...+q...`.s7....
>>        0x0270:  9ee4 fa15 5b2c 0129 61c2 14fc 74f3 d2c9  ....[,.)a...t...
>>        0x0280:  1e75 afc3 25fc c261 5b21 ca68 f920 b421  .u..%..a[!.h...!
>>        0x0290:  cf6a 5629 29db 8316 5c23 a951 c7cb 734f  .jV))...\#.Q..sO
>>        0x02a0:  a31c 0183 0203 0100 01a3 81fc 3081 f930  ............0..0
>>        0x02b0:  1d06 0355 1d0e 0416 0414 f023 3fcf 86ed  ...U.......#?...
>>        0x02c0:  38b1 6795 4d1c 9a12 189a 17d5 f49e 3081  8.g.M.........0.
>>        0x02d0:  c906 0355 1d23 0481 c130 81be 8014 f023  ...U.#...0.....#
>>        0x02e0:  3fcf 86ed 38b1 6795 4d1c 9a12 189a 17d5  ?...8.g.M.......
>>        0x02f0:  f49e a181 9aa4 8197 3081 9431 0b30 0906  ........0..1.0..
>>        0x0300:  0355 0406 1302 4742 3112 3010 0603 5504  .U....GB1.0...U.
>>        0x0310:  0813 0942 6572 6b73 6869 7265 3110 300e  ...Berkshire1.0.
>>        0x0320:  0603 5504 0713 074e 6577 6275 7279 311f  ..U....Newbury1.
>>        0x0330:  301d 0603 5504 0a13 1662 6572 6b73 6869  0...U....berkshi
>>        0x0340:  7265 2068 6174 6861 7761 7920 6c74 6431  re.hathaway.ltd1
>>        0x0350:  1030 0e06 0355 040b 1307 6e65 7762 7572  .0...U....newbur
>>        0x0360:  7931 0f30 0d06 0355 0403 1306 636f 6d6d  y1.0...U....comm
>>        0x0370:  6f6e 311b 3019 0609 2a86 4886 f70d 0109  on1.0...*.H.....
>>        0x0380:  0116 0c61 646d 696e 4063 6f6d 6d6f 6e82  ...admin at common.
>>        0x0390:  0900 b86d a268 a0af 59ac 300c 0603 551d  ...m.h..Y.0...U.
>>        0x03a0:  1304 0530 0301 01ff 300d 0609 2a86 4886  ...0....0...*.H.
>>        0x03b0:  f70d 0101 0505 0003 8181 007e a153 b752  ...........~.S.R
>>        0x03c0:  590d 8fc1 f039 a471 a9f4 5304 bb86 f843  Y....9.q..S....C
>>        0x03d0:  0876 3acc c0a2 825a 8c49 4ccd 6e17 dec1  .v:....Z.IL.n...
>>        0x03e0:  43ef b4f4 fa57 9105 2393 eb16 fcf1 c916  C....W..#.......
>>        0x03f0:  0e24 4920 b0b2 66af 2284 1282 23f9 6683  .$I...f."...#.f.
>>        0x0400:  a573 e79a efb1 c1f2 99a1 7f89 34ca 9a6d  .s..........4..m
>>        0x0410:  69d0 d2a2 58f4 d876 d4e5 5595 4fa5 18a3  i...X..v..U.O...
>>        0x0420:  7c02 c403 fa3a 5f1d 5e2f bda2 9e77 755d  |....:_.^/...wu]
>>        0x0430:  85d2 4fdf 23e8 dd16 fe26 4816 0300 0004  ..O.#....&H.....
>>        0x0440:  0e00 0000                                ....
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>>
> 
> 


More information about the Emerging-sigs mailing list