[Emerging-Sigs] Proposed Signature for Trojan.Gatak

Christopher Granger chrisgrangerx at gmail.com
Sun Dec 9 15:57:15 HAST 2012


Hi ET,

Trojan.Gatak is a Trojan that allows backdoor access. Some versions are
able to spread via shared resources.

The Trojan uses 443/TCP for C&C but sessions are not SSL/TLS encrypted.

Example requests:
/galfstream&tmmkmmgat=08PV2nvuCDUN77pF03rJN9E5B**fvjZmKGCmEnpe
/galfstream&xcrvekhyx=ZJRWYZFTYdty0IFmK_nSHiT0JDY4AGgj
/golfstream&qnpvh=wwld8vWuk34v7HPnmR6q1_EquRg19qHFesHlAhj0LXlBW8m72dnz


Proposed rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Gatak POST
Request to C&C"; flow:established,to_server; content:"POST"; nocase;
http_method; content:"lfstream&"; nocase; http_uri; depth:12;
pcre:"/\/g[oa]lfstream&/UAi"; reference:
http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99;
classtype:trojan-activity; sid:XXXXXXX; rev:1;)

Regards,
-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121209/5ae9de76/attachment.html>


More information about the Emerging-sigs mailing list