[Emerging-Sigs] Proposed Signature for Trojan.Gatak

Joel Esler jesler at sourcefire.com
Sun Dec 9 16:33:32 HAST 2012


That won't work unless you have 443 in http_inspects config.

Just FYI.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Dec 9, 2012, at 8:57 PM, Christopher Granger <chrisgrangerx at gmail.com> wrote:

> Hi ET,
> 
> Trojan.Gatak is a Trojan that allows backdoor access. Some versions are able to spread via shared resources. 
> 
> The Trojan uses 443/TCP for C&C but sessions are not SSL/TLS encrypted. 
> 
> Example requests:
> /galfstream&tmmkmmgat=08PV2nvuCDUN77pF03rJN9E5B**fvjZmKGCmEnpe
> /galfstream&xcrvekhyx=ZJRWYZFTYdty0IFmK_nSHiT0JDY4AGgj
> /golfstream&qnpvh=wwld8vWuk34v7HPnmR6q1_EquRg19qHFesHlAhj0LXlBW8m72dnz
> 
> 
> Proposed rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Gatak POST Request to C&C"; flow:established,to_server; content:"POST"; nocase; http_method; content:"lfstream&"; nocase; http_uri; depth:12; pcre:"/\/g[oa]lfstream&/UAi"; reference: http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99; classtype:trojan-activity; sid:XXXXXXX; rev:1;)
> 
> Regards,
> -Chris
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121209/d1842122/attachment.html>


More information about the Emerging-sigs mailing list