[Emerging-Sigs] Additional Signature for SSL C&C: Five Proposed signatures for udtracker Unknown Java Exploit + PCAP

Nathan nathan at packetmail.net
Tue Sep 27 16:16:55 EDT 2011


I am seeing POST infection activity to 88.80.13.119 via SSL, the traffic is
self-generated.

Now, what's odd is that there is no CN or OU on the SSL cert and the O is "My
Company Ltd".  It was issued 8/30/2011.

I think there's a worthy signature here:

#Anyone have a way to look for empty CN and OU too?  I think that's really
solidify it as malicious.
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS
Suspicious Self Signed SSL Certificate to 'My Company Ltd' could be SSL C&C";
flow:established,from_server; content:"|16 03|"; content:"|0b|"; within:7;
content:"My Company Ltd"; classtype:bad-unknown; sid:x; rev:1;)

IP 88.80.13.119.443
        0x0000:  4500 02ae c108 4000 2a06 96cf 5850 0d77  E..... at .*...XP.w
        0x0010:  0ad8 85d3 01bb ce30 12a4 4c1e d398 95ed  .......0..L.....
        0x0020:  8018 000c 3231 0000 0101 080a 8abd 8d1b  ....21..........
        0x0030:  13b7 c915 1603 0000 4a02 0000 4603 004e  ........J...F..N
        0x0040:  822e 702a d962 0864 28e7 531f 0111 4e32  ..p*.b.d(.S...N2
        0x0050:  72c2 2add 84d9 2a63 8149 8208 36bf 0720  r.*...*c.I..6...
        0x0060:  f8fc 14a9 a956 e792 7938 389d 9e9e 932d  .....V..y88....-
        0x0070:  067d 1c4b 5992 f57d c985 7c90 b20e 94e3  .}.KY..}..|.....
        0x0080:  002f 0016 0300 021d 0b00 0219 0002 1600  ./..............
        0x0090:  0213 3082 020f 3082 0178 0209 00fe 0b03  ..0...0..x......
        0x00a0:  8569 df81 1d30 0d06 092a 8648 86f7 0d01  .i...0...*.H....
        0x00b0:  0105 0500 304c 310b 3009 0603 5504 0613  ....0L1.0...U...
        0x00c0:  0247 4231 1230 1006 0355 0408 1309 4265  .GB1.0...U....Be
        0x00d0:  726b 7368 6972 6531 1030 0e06 0355 0407  rkshire1.0...U..
        0x00e0:  1307 4e65 7762 7572 7931 1730 1506 0355  ..Newbury1.0...U
        0x00f0:  040a 130e 4d79 2043 6f6d 7061 6e79 204c  ....My.Company.L
        0x0100:  7464 301e 170d 3131 3038 3331 3231 3033  td0...1108312103
        0x0110:  3532 5a17 0d31 3230 3833 3032 3130 3335  52Z..12083021035
        0x0120:  325a 304c 310b 3009 0603 5504 0613 0247  2Z0L1.0...U....G
        0x0130:  4231 1230 1006 0355 0408 1309 4265 726b  B1.0...U....Berk
        0x0140:  7368 6972 6531 1030 0e06 0355 0407 1307  shire1.0...U....
        0x0150:  4e65 7762 7572 7931 1730 1506 0355 040a  Newbury1.0...U..
        0x0160:  130e 4d79 2043 6f6d 7061 6e79 204c 7464  ..My.Company.Ltd
        0x0170:  3081 9f30 0d06 092a 8648 86f7 0d01 0101  0..0...*.H......
        0x0180:  0500 0381 8d00 3081 8902 8181 00b0 d647  ......0........G
        0x0190:  7803 ae23 7207 f929 69a4 ed03 0edc 0509  x..#r..)i.......
        0x01a0:  1544 7c19 0f8a 6806 1472 d660 0d44 9516  .D|...h..r.`.D..
        0x01b0:  446a 10a9 4c10 ec1e cd41 8cd3 9811 f275  Dj..L....A.....u
        0x01c0:  6ec0 5a1e ac70 249d cb97 1d5a 46d6 f2a7  n.Z..p$....ZF...
        0x01d0:  3769 1761 fb91 0567 0e2e 8a4d 8a09 50e5  7i.a...g...M..P.
        0x01e0:  b59c 1c6d 47cf 1a1c 2f0d 1606 9386 6e2f  ...mG.../.....n/
        0x01f0:  29c6 8b35 bfaf b813 febe d437 f86b 516c  )..5.......7.kQl
        0x0200:  6e2f 2c4b a53c 794f 5bb3 55f9 7d02 0301  n/,K.<yO[.U.}...
        0x0210:  0001 300d 0609 2a86 4886 f70d 0101 0505  ..0...*.H.......
        0x0220:  0003 8181 0092 6e68 106f 04c4 9f6a aaf5  ......nh.o...j..
        0x0230:  9b5e f3af 3a44 7e3a 45e0 c7fe f4a0 eeab  .^..:D~:E.......
        0x0240:  0f6a bb16 3e25 53a3 37ee 1b45 d534 d5e3  .j..>%S.7..E.4..
        0x0250:  3a9c d1ba c19a 36c9 d4ed 3ef6 796a eb9c  :.....6...>.yj..
        0x0260:  79df 09c4 fd35 e2ec 8377 6606 6a99 74b4  y....5...wf.j.t.
        0x0270:  8b4e fc47 7fd6 1d3b 522c 7d88 d9e7 d1de  .N.G...;R,}.....
        0x0280:  cc4d a172 364a bfc0 e784 b87d 849b 30d1  .M.r6J.....}..0.
        0x0290:  5d49 e079 3c07 08e3 adde 3693 5da1 6ff2  ]I.y<.....6.].o.
        0x02a0:  24af ddcd 7a16 0300 0004 0e00 0000       $...z.........

Thanks,
Nathan



More information about the Emerging-sigs mailing list