[Emerging-Sigs] Proposed Signature for Trojan.Gatak

Martin Holste mcholste at gmail.com
Sun Dec 9 16:48:07 HAST 2012


Where did you get those example requests from?  They don't match the
writeup from Symantec.  Also, I would assume that "gulfstream" would be in
there at some point, so if you're sure about that style of request, then I
would swap [oa] with . in the pcre.


On Sun, Dec 9, 2012 at 8:33 PM, Joel Esler <jesler at sourcefire.com> wrote:

> That won't work unless you have 443 in http_inspects config.
>
> Just FYI.
>
> --
> *Joel Esler*
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Dec 9, 2012, at 8:57 PM, Christopher Granger <chrisgrangerx at gmail.com>
> wrote:
>
> Hi ET,
>
> Trojan.Gatak is a Trojan that allows backdoor access. Some versions are
> able to spread via shared resources.
>
> The Trojan uses 443/TCP for C&C but sessions are not SSL/TLS encrypted.
>
> Example requests:
> /galfstream&tmmkmmgat=08PV2nvuCDUN77pF03rJN9E5B**fvjZmKGCmEnpe
> /galfstream&xcrvekhyx=ZJRWYZFTYdty0IFmK_nSHiT0JDY4AGgj
> /golfstream&qnpvh=wwld8vWuk34v7HPnmR6q1_EquRg19qHFesHlAhj0LXlBW8m72dnz
>
>
> Proposed rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Gatak POST
> Request to C&C"; flow:established,to_server; content:"POST"; nocase;
> http_method; content:"lfstream&"; nocase; http_uri; depth:12;
> pcre:"/\/g[oa]lfstream&/UAi"; reference:
> http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99;
> classtype:trojan-activity; sid:XXXXXXX; rev:1;)
>
> Regards,
> -Chris
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121209/7b2ddf9f/attachment.html>


More information about the Emerging-sigs mailing list