[Emerging-Sigs] Detection AdwindRAT inside SSL traffic.

Attack Detection attackdetectionteam at gmail.com
Fri Sep 1 14:12:34 EDT 2017


Hello.
    We offer one of the ways to detect malicious AdwindRAT software inside
the encrypted traffic. Recently, the detection of this malicious program in
network traffic is significantly reduced due to encryption. As a result of
the research, a stable structure of data fragments was created. The
captions are cascaded with stream bits, contain fast_pattern and
stream_size.
Best regards.
John.

alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any  ( msg: "ET TROJAN
[PTsecurity] Backdoor.Java.Adwind.cu certificate #0";  flow: established,
to_client;   content: "|308204|"; depth:300; content: "|308203|";
distance:1; within:3; content: "|a0030201020204|"; distance:1; within:7;
content: "|300d06092a864886f70d01010b05003081|"; distance:4; within:17;
flowbits: set, FB332502_; flowbits: noalert; threshold: type limit, track
by_src, count 1, seconds 30;  classtype: trojan-activity;  reference: md5,
d93dd17a9adf84ca2839708d603d3bd6; sid: 10001903;  rev: 1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg: "ET TROJAN
[PTsecurity] Backdoor.Java.Adwind.cu pkt checker #0"; flow: established,
to_server; content: "|1703|"; depth:2; content: "|0040|"; distance:1;
within:2; fast_pattern; stream_size: server, >,1789; stream_size: server,
<,2124; stream_size: client, >,447; stream_size: client, <,1722; flowbits:
isset, FB332502_; flowbits: set, FB332502_0; flowbits: noalert; classtype:
trojan-activity; reference: md5, d93dd17a9adf84ca2839708d603d3bd6; sid:
10001904; rev: 1;)
alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg: "ET TROJAN
[PTsecurity] Backdoor.Java.Adwind.cu pkt checker #1"; flow: established,
to_client; content: "|1703|"; depth:2; content: "|0040|"; distance:1;
within:2; fast_pattern; stream_size: server, >,1789; stream_size: server,
<,2124; stream_size: client, >,447; stream_size: client, <,1722;  flowbits:
isset, FB332502_0; flowbits: unset, FB332502_0; flowbits: set, FB332502_1;
flowbits: noalert; classtype: trojan-activity; reference: md5,
d93dd17a9adf84ca2839708d603d3bd6; sid: 10001905; rev: 1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET [:32768] (msg: "ET TROJAN
[PTsecurity] Backdoor.Java.Adwind.cu pkt checker #2"; flow: established,
to_server; content: "|1703|"; depth:2; byte_test: 2, >=,1024, 1, relative;
byte_test: 2, <=,1100, 1, relative; stream_size: server, >,1889;
stream_size: server, <,2124; stream_size: client, >,1476; stream_size:
client, <,1722;  flowbits: isset, FB332502_1; flowbits: unset, FB332502_1;
flowbits: set, FB332502_2; flowbits: noalert;  classtype: trojan-activity;
reference: md5, d93dd17a9adf84ca2839708d603d3bd6; sid: 10001906; rev: 1;)
alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg: "ET TROJAN
[PTsecurity] Backdoor.Java.Adwind.cu pkt checker #3"; flow: established,
to_client; content: "|1703|"; depth:2; content: "|0050|"; distance:1;
within:2; fast_pattern; stream_size: server, >,1889; stream_size: server,
<,2224; stream_size: client, >,1476; stream_size: client, <,8722;
flowbits: isset, FB332502_2; flowbits: unset, FB332502_2; flowbits: set,
FB332502_3; flowbits: noalert; classtype: trojan-activity; reference: md5,
d93dd17a9adf84ca2839708d603d3bd6; sid: 10001907; rev: 1;)
alert tcp $EXTERNAL_NET [:32768] -> $HOME_NET any (msg: "ET TROJAN
[PTsecurity] Backdoor.Java.Adwind.cu pkt checker #4"; flow: established,
to_client; content: "|1703|"; depth:2; content: "|0050|"; distance:1;
within:2; fast_pattern; stream_size: server, >,1889; stream_size: server,
<,2436; stream_size: client, >,1476; stream_size: client, <,8834; flowbits:
isset, FB332502_3; flowbits: unset, FB332502_3; threshold: type limit,
track by_src, count 1, seconds 30;classtype: trojan-activity; reference:
md5, d93dd17a9adf84ca2839708d603d3bd6; sid: 10001908; rev: 1;)

Hashes:
e4df55f6ebfe8e1e986b96868e02816d91cacd404472895dadc9934c5648c9e9
07a25af117fa52d571f6adb5cd42b74c16b1d4ede242ddcd61586ecc4cfa043a
5462fc0eed8d0982788405116ab8f68f4dbb358eca16d4ee2e2a169848c9b124
152e595b633528fa04d634bc0add86cd7c8ade8bc5eae1d487b97a5dc8a20787
ece5740bb72550712b0af47e6a28d877f46742fcdc29b375056e8baf77675e69
91f27cb3398345bbbf25262fed275699a2ec2af2b4ada38d9dc72ba051547e62
44cf6a40858cce71f1707f897343cdea37cf9b2691e4ced31dd3507dea0be9c6
2924f703cadeb1f75a185f61a0b3db87dd32f6d20813a799dc1685db03f8564f
bb29db79925e2293882125e0b6b9d8e77e13ba3b8b48490fe91e2110b36a18a5
ff9028b77fdc289e006ccee45b5b65eed9cf5b9b93092c8232a70e29fa961056
07c69a8a31fa9db3345a603cb4a5341ad304b6e60cdd04290cfd0aa006a36307
e9616cb873d3c9fc76fee530715cbf6b3ff156b6d0e249cf438aa1033a88e4c2
43df7baab71e596c6c7dfa351b0e9f321ae034760755af44e556f5e0819e6d73
440833878e939884facc56a1b4c4c58684bf8dae6c92e2b999d0aef68780350b
458a3d7e2a8fdfa41a3920f949596586bd2ec0b39ee113ade562ecfb28c61888
e199fda679346b2e552df88d167424726e517bda2d0ca5dd602c6662e81802bd
3bc597ed0e0634b892caffc7535f0cf5fd9c7e9b125843fcb52e9ad41314978e
f9e1dd43cffe7a30dcf8294814596aadf1a2e52d21d6c3fc30bc81fdef544d94
1245eff9f25d57fcfa27cb1ab9a9e97febaa7e187961395ddb5a7e904eeda33b
9d0cbc6e17fdeaa7fbc14e8ac2ef82443648d3695964dd341625adc046f2bdb1
8cd6126c4b9f7fb90b3787d7e51a8997c29c1af0152567eabcb7597f39242c3a
a8a8b677776048d6557935f96042789f269e4d08f131d979465ed008dd061603
62096e8d9c29ac39f11ff4419641a1a6119e6186574ef836506bcd754f97c912
019eb73fd17782e71fc26d644ad3b613957f5bc97e22cfd58d87ceea1f9645b2
8002b18816ae3f86e4853e0fbc64ae423b791e88d556a775b64ab29bc893f72d
22652bede63c6dc5745386bd7339cee8c0834fe3a1b555d1044c6b551f209058
67b96024060c02954b6e25d5d0500d4a864c2ce82d2452f533affac39a196281
d53680d96161ac23bd5c24f0650c79c1f038ec7b9b94896bba086fe14a21582d
ebbb80bd2d4a499cb835226a1f19717c86bd1dd2a60b14075c13a2e8ae45c54f
e88571a5f8c07d7839493aa9d400905e3b977b5012c9014d284c6d43af49e72c
c649bbc6a221c9e88ba1ce7c8978ef3f239016cfc42e01771194ab0a4a12f0ab
695863a5753eba61a7d75e5f3e22095c75ecd52ab0ee8b42a8ea2b04370b5de8
cc6ada5ce959b858ce3f53a46b3c1def64a135ae23c02317926a0da09e6e7e17
51b5269a8b4733448667fe734a4261f60a27cf3e06bded3f59a4cea99f5b88cf

PCAP`s:
https://www.dropbox.com/sh/jcvvtr6f42sk8kc/AADMr7GcjJ9RTgXPyusKK032a?dl=0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20170901/8623fe82/attachment.html>


More information about the Emerging-sigs mailing list