[Emerging-Sigs] 2013782/ET TROJAN W32.Duqu User-Agent

Packet Hack pckthck at gmail.com
Fri Oct 21 14:19:00 EDT 2011


Here's some I'm trying out:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Duqu GET"; flow:established,to_server; content:"GET / HTTP/1.1|0d
0a|Cookie|3a| PHPSESSID="; content:"|0d 0a|Cache-Control|3a|
no-cache|0d 0a|Pragma|3a| no-cache|0d 0a|User-Agent|3a| Mozilla";
distance:0; content:"|0d 0a|Host|3a| "; distance:0;
content:"Connection|3a| Keep-Alive|0d 0a 0d 0a|";
flowbits:set,ET.DuquGet; sid:9100556; rev:1;)

alert tcp $EXTERNAL_NET  any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN
Duqu HTTP Response to GET";
flow:established,to_server;content:"HTTP/1.1 200 OK|0d
0a|Content-Type|3a| image/jpeg|0d 0a|Transfer-Encoding|3a| chunked|0d
0a|Connection|3a| Close|0d 0a 0d 0a|" ; flowbits:isset,ET.DuquGet;
sid:9100557; rev:1;)

alert tcp $EXTERNAL_NET  any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN
Duqu POST"; content: "POST / HTTP/1.1|0d 0a|Cookie|3a| PHPSESSID=";
content:"Cache-Control|3a| no-cache|0d 0a|Pragma|3a| no-cache|0d
0a|Content-Type|3a| multipart/form-data|3b|
boundary=---------------------------"; distance:0;
content:"User-Agent|3a| Mozilla"; content:"Connection|3a|
Keep-Alive|0d 0a 0d 0a|"; distance:0; content:"Content-Disposition|3a|
form-data|3b| name="; distance:0; content:".jpg|22 0d
0a|Content-Type|3a| image/jpeg|0d 0a 0d 0a|"; distance:0;
flowbits:set,ET.DuquPost; sid:9100558; rev:1;)

alert tcp $EXTERNAL_NET  any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN
Duqu HTTP Response to POST"; flow:established,to_server;
content:"HTTP/1.1 200 OK|0d 0a|Connection|3a| Keep-Alive|0d
0a|Content-Length|3a| 0" ; flowbits:isset,ET.DuquPost; sid:9100559;
rev:1;)

These are based off the traffic seen in the Symantec paper, they're not tripping
for me yet. Trying to get all cool and shit with flowbits, yo!

-- pckthck

On Fri, Oct 21, 2011 at 2:04 PM, Matthew Jonkman
<jonkman at emergingthreatspro.com> wrote:
> Thanks, looks like that UA wasn't as unique as hoped.
>
> Dropping this sig in favor of the more specific one for now. More research ongoing!


More information about the Emerging-sigs mailing list