[Emerging-Sigs] Proposed Signature for Trojan.Gatak

Christopher Granger chrisgrangerx at gmail.com
Wed Dec 12 11:54:43 HAST 2012


We have been using less specifically targeted regex monitoring of proxy
logs to great effect since I first emailed about this -- no FPs and a
surprising number of infections detected.

On Sun, Dec 9, 2012 at 10:39 PM, Christopher Granger <
chrisgrangerx at gmail.com> wrote:

> Hi Martin,
>
> The write-up addresses an older version which may or may not still be
> active - it's one of a small number of public references I could find. The
> requests were captured on NIDS SSL/TLS anomaly alerts on traffic to known
> controllers. I have only seen the two strings included in the rule &
> non-public reports corroborate just the two, but I'm not against expanding
> coverage if FPs aren't an issue.
>
> I think some of the IPs in the reference may still be active, but I
> haven't confirmed this. I'll send any additional info I'm able to.
>
> Thanks,
> -Chris
>
>
> On Sun, Dec 9, 2012 at 9:48 PM, Martin Holste <mcholste at gmail.com> wrote:
>
>> Where did you get those example requests from?  They don't match the
>> writeup from Symantec.  Also, I would assume that "gulfstream" would be in
>> there at some point, so if you're sure about that style of request, then I
>> would swap [oa] with . in the pcre.
>>
>>
>>
>> On Sun, Dec 9, 2012 at 8:33 PM, Joel Esler <jesler at sourcefire.com> wrote:
>>
>>> That won't work unless you have 443 in http_inspects config.
>>>
>>> Just FYI.
>>>
>>> --
>>> *Joel Esler*
>>> Senior Research Engineer, VRT
>>> OpenSource Community Manager
>>> Sourcefire
>>>
>>> On Dec 9, 2012, at 8:57 PM, Christopher Granger <chrisgrangerx at gmail.com>
>>> wrote:
>>>
>>> Hi ET,
>>>
>>> Trojan.Gatak is a Trojan that allows backdoor access. Some versions are
>>> able to spread via shared resources.
>>>
>>> The Trojan uses 443/TCP for C&C but sessions are not SSL/TLS encrypted.
>>>
>>> Example requests:
>>> /galfstream&tmmkmmgat=08PV2nvuCDUN77pF03rJN9E5B**fvjZmKGCmEnpe
>>> /galfstream&xcrvekhyx=ZJRWYZFTYdty0IFmK_nSHiT0JDY4AGgj
>>> /golfstream&qnpvh=wwld8vWuk34v7HPnmR6q1_EquRg19qHFesHlAhj0LXlBW8m72dnz
>>>
>>>
>>> Proposed rule:
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Gatak POST
>>> Request to C&C"; flow:established,to_server; content:"POST"; nocase;
>>> http_method; content:"lfstream&"; nocase; http_uri; depth:12;
>>> pcre:"/\/g[oa]lfstream&/UAi"; reference:
>>> http://www.symantec.com/security_response/writeup.jsp?docid=2012-012813-0854-99;
>>> classtype:trojan-activity; sid:XXXXXXX; rev:1;)
>>>
>>> Regards,
>>> -Chris
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>> Current!
>>>
>>>
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>> Current!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/b8f3dd70/attachment.html>


More information about the Emerging-sigs mailing list