[Emerging-Sigs] Proposed Signature for Trojan.Gatak

Christopher Granger chrisgrangerx at gmail.com
Sun Dec 9 17:39:42 HAST 2012


Hi Martin,

The write-up addresses an older version which may or may not still be
active - it's one of a small number of public references I could find. The
requests were captured on NIDS SSL/TLS anomaly alerts on traffic to known
controllers. I have only seen the two strings included in the rule &
non-public reports corroborate just the two, but I'm not against expanding
coverage if FPs aren't an issue.

I think some of the IPs in the reference may still be active, but I haven't
confirmed this. I'll send any additional info I'm able to.

Thanks,
-Chris

On Sun, Dec 9, 2012 at 9:48 PM, Martin Holste <mcholste at gmail.com> wrote:

> Where did you get those example requests from?  They don't match the
> writeup from Symantec.  Also, I would assume that "gulfstream" would be in
> there at some point, so if you're sure about that style of request, then I
> would swap [oa] with . in the pcre.
>
>
>
> On Sun, Dec 9, 2012 at 8:33 PM, Joel Esler <jesler at sourcefire.com> wrote:
>
>> That won't work unless you have 443 in http_inspects config.
>>
>> Just FYI.
>>
>> --
>> *Joel Esler*
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>>
>> On Dec 9, 2012, at 8:57 PM, Christopher Granger <chrisgrangerx at gmail.com>
>> wrote:
>>
>> Hi ET,
>>
>> Trojan.Gatak is a Trojan that allows backdoor access. Some versions are
>> able to spread via shared resources.
>>
>> The Trojan uses 443/TCP for C&C but sessions are not SSL/TLS encrypted.
>>
>> Example requests:
>> /galfstream&tmmkmmgat=08PV2nvuCDUN77pF03rJN9E5B**fvjZmKGCmEnpe
>> /galfstream&xcrvekhyx=ZJRWYZFTYdty0IFmK_nSHiT0JDY4AGgj
>> /golfstream&qnpvh=wwld8vWuk34v7HPnmR6q1_EquRg19qHFesHlAhj0LXlBW8m72dnz
>>
>>
>> Proposed rule:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Gatak POST
>> Request to C&C"; flow:established,to_server; content:"POST"; nocase;
>> http_method; content:"lfstream&"; nocase; http_uri; depth:12;
>> pcre:"/\/g[oa]lfstream&/UAi"; reference:
>> http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99;
>> classtype:trojan-activity; sid:XXXXXXX; rev:1;)
>>
>> Regards,
>> -Chris
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121209/ae35956e/attachment.html>


More information about the Emerging-sigs mailing list