[Emerging-Sigs] Are these FPs or not?

Nathan nathan at packetmail.net
Thu Dec 13 04:18:12 HAST 2012


On 12/12/2012 06:13 PM, Christopher Granger wrote:
> Example requests from validated infections, each using a unique set of C&C servers
> 
> Inline image 2
> Inline image 1

Very good thread, I too am looking at User-Agent as an indicator of compromise
in addition to other things on the SSL channels.

Something worth noting here is that Mozilla/5.0 did not exist with MSIE until
MSIE 9.  This incorrect branding is a good way to detect badness.  My proxy logs
are in Hadoop/Hive and I am using this query to detect on badness inclusive of
some recent Ponmocup findings.

A "Hiveism" is the use of double-escapes, obviously for PCRE this is
superfluous.  the below might be able to be used to tie Mozilla versions to MSIE
versions as an outlier for anomalous User-Agents.  Seems we could craft some
less PCRE-heavy sigs based on the logic below.

select distinct http_status,user_name,client_ip,url,user_agent from
webwasher_full where day='$PARTITION' and (user_agent rlike
'Mozilla\\/4\\.[^\\r\\n]+\\x3b MSIE [^4-8]' or user_agent rlike
'Mozilla\\/5\\.[^\\r\\n]+\\x3b MSIE [^19]\\d?' or user_agent rlike
'Mozilla\\/[^\\r\\n]+\\x3b Windows NT [^4-6]' or user_agent like '%Windows NT
4%') and user_agent not like '% GoogleToolbar %' and url not like
'%.adobe.com/%' and url not like '%.real.com/%' and user_agent not like '%
Placeware RPC %' order by url,user_agent,client_ip,user_name,http_status;

Thanks,
Nathan



More information about the Emerging-sigs mailing list