[Emerging-Sigs] Signature - Linux Rootkit for 64-bit Debian

dxp dxp2532 at gmail.com
Sat Dec 8 08:09:18 HAST 2012


Hello ET,

It's been a few weeks now since the disclosure of the module on Full
Disclosure, so my apologies in advance if this trojan is already
covered.

I've taken a look at its C&C authentication key generation/verification
routine and came up with the two signatures below. Please note, the
routine generates a unique key for each C&C IP address and is derived
from the address itself.

Thus, the first signature specifically detects the module from FD post,
which would talk to 188.40.102.11. The second rule is a bit more generic
to identify the packet structure based on reversing their algorithm.

alert tcp $HOME_NET any -> $EXTERNAL_NET 1568 (msg:"ET TROJAN
Rootkit.Linux.Snakso.a C&C Check-in"; flow:to_server,established;
content:"|01 00|"; depth:2;
content:"CnAgAAo1ic1K9SYUAxYWW7IIegMO3mY9m3M39AIWAqE6Aqq1OgRL3riA8oakYQqQCG5IcQCAwy5guAkArCsAWiAYQgyo3Uq5YUCS1G3GeAwe1Qym3WMSmwamwwyuAcs"; distance:1094; within:128; classtype:trojan-activity; reference:url,seclists.org/fulldisclosure/2012/Nov/172; sid:253201; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
Rootkit.Linux.Snakso Generic C&C Check-in"; flow:to_server,established;
content:"|01 00|"; depth:2; isdataat:1126,relative; content:"|00 00 00
00|"; distance:1090; within:4; pcre:"/[a-z0-9]{32,128}/i";
classtype:trojan-activity;
reference:url,seclists.org/fulldisclosure/2012/Nov/172; sid:253202;
rev:1;)

The 2nd rule has a 4 byte NULL match prior to the PCRE. This is due to
the packet containing no non-NULL data in the first 1096 bytes of the
initial check-in. If anyone has an idea on how to optimise this to cover
all NULLs (apart from first 2 bytes) I would greatly appreciate the tip.
-- 

-=[ dxp ]=-
0xA3F3C6E3
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121208/57121e07/attachment.pgp>


More information about the Emerging-sigs mailing list