[Community-sigs] new sig Linux.Backdoor.Concbak

Alain Zidouemba azidouemba at sourcefire.com
Wed Mar 18 12:37:15 EDT 2015 

Automated rules would be fine. I went of the Snort rule in the link you
provided:

alert tcp any any -> any any
(msg:"potential malicious traffic http://users.
***.com/fcgbin/cgi_get_portrait.fcg?uins=211284131";
content:"/fcgbin/cgi_get_portrait.fcg?uins=";
content:"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)";
content:"Host: users.***.com";)


Cleaned up rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
potential malicious traffic PIN presentation demo";
flow:to_server,established; content:"/fcgbin/cgi_get_portrait.fcg?uins=";
http_uri; fast_pattern:only; content:"Host|3a| users.***.com";
metadata:service http; classtype:trojan-activity;)


Cleaned up rule split out for easy readability:

Connection: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
Message   : MALWARE-CNC potential malicious traffic PIN presentation demo
Flow      : to_server,established
Detection :
    content:"/fcgbin/cgi_get_portrait.fcg?uins="; http_uri;
fast_pattern:only;
    content:"Host|3a| users.***.com";
Metadata  :
    Policy:
    Service: http
Classtype : trojan-activity



- I removed the content match for the User-Agent string because it's really
not necessary in my opinion
- The original rule did not have ports or networks listed nor the flow
keyword.  These all work together to help the rule look only at traffic
that is relevant, effecting a performance increase for all of snort.
- I also added service metadata and classtype information.  Service
metadata further helps the rule look at relevant data and the classtype is
simply a classification system to help prioritize events coming out of
snort.
- Finally, I added the ruletype "MALWARE-CNC" to the rule message and
cleaned up the rule message to remove invalid characters and make the
message easier to read for the end users.
- On the detection side, I added buffer information to the URI content
match to restrict search space to the URI which both speeds up snort by
looking at less data and also allows snort to provide normalization
services to make it easier to match input data.  Now, since this is
hardcoded in malware, normalization isn't as big of a deal since it'll
always look the same (or we wouldn't want to force "uins" to be the first
parameter like we do in that content match), but restricting the search
space to only the URI is useful.
- Also, I added the fast_pattern:only flag to further speed up the
detection by not repeating the content match during the rule evaluation.
There are some nuances to when you would and would not want to use this
directive, so I'm a little hesitant to include it here without proper
explanation but I'll leave it there, anyway.
- Note that the last content match, "Host|3a| users.***.com"; would
literally expect "***" to be in the hostname, which I don't think is
actually what you want, but the code snippets in the presentation were not
immediately obvious of if they were literal strings or placeholders.


Hope this helps.

- Alain

On Wed, Mar 18, 2015 at 11:02 AM, <andreisaygo at live.ie> wrote:

> Hi Alain,
>
> That sounds even better, thanks :)
>
> Would you accept snort rules generated by automated systems as well ?
> For example:
> https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_R&D_Track_PIN_Down_the_Malware.pdf
>
> Regards,
> Andrei Saygo
>
> > Date: Wed, 18 Mar 2015 10:52:23 -0400
> > From: azidouemba at sourcefire.com
> > To: community-sigs at lists.clamav.net
> > Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
> >
> > If you know and are interested in providing Snort rules for malware
> > samples, we will add your rules (again, after testing and tweaking if
> > necessary) to the community ruleset:
> >
> >
> http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html
> >
> > You'll of course be given credit for your Snort rules, just as you are
> > given credit for your ClamAV signatures.
> >
> > Thank you very much for your contribution,
> >
> > - Alain
> >
> > On Wed, Mar 18, 2015 at 10:42 AM, <andreisaygo at live.ie> wrote:
> >
> > > Hi Ben,
> > > Sounds great, thanks. I'll make sure to include similar info (if
> possible)
> > > from now on.
> > >
> > > Regards,
> > > Andrei Saygo
> > > > Date: Wed, 18 Mar 2015 10:39:20 -0400
> > > > From: bbaker at sourcefire.com
> > > > To: community-sigs at lists.clamav.net
> > > > Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
> > > >
> > > > Thanks Andrei! Your sig passed FP check and has been published.
> Since you
> > > > included really unique network info, I'll make a Snort rule for that
> as
> > > > well.
> > > >
> > > > On Mon, Mar 16, 2015 at 7:52 PM, <andreisaygo at live.ie> wrote:
> > > >
> > > > > Signature:
> > > > >
> > > > >
> > >
> Linux.Backdoor.Concbak;Target:6;(0&1&2)&(3|4|5);2F676174652E706870;2670636E616D653D00;26687769643D00;756470666C6F6F6400;6261636B636F6E6E65637400;2F6574632F736861646F7700
> > > > >
> > > > > Hashes:
> > > > > MD5: 88119dc700357d2d486efb2d1369b105
> > > > > SHA1: 36361d6472d3c675182a2ca01ceed968d6c8e46b
> > > > > SHA256:
> > > 6b2cc3d64aa719c4910b89dc841f7ae07a5eab481d9ad2ed75059ac5173092b1
> > > > >
> > > > > Sig0:
> > > > > /gate.php
> > > > >
> > > > > Sig1:
> > > > > &pcname=
> > > > >
> > > > > Sig2:
> > > > > &hwid=
> > > > >
> > > > > Sig3:
> > > > > udpflood
> > > > > Sig4:
> > > > > backconnect
> > > > > Sig5:
> > > > > /etc/shadow
> > > > >
> > > > > Additional details:
> > > > > Full link:
> > > > > hxxp://webcrawl.marketplay.be:80//platforms/linux_v6//gate.php
> > > > >
> > > > > HTTP header:
> > > > > User-Agent: Firefox.3.5
> > > > > Referer: http://google.com/
> > > > > Accept-Encoding: identity
> > > > >
> > > > >
> > > > > Regards,
> > > > > Andrei Saygo
> > > > > _______________________________________________
> > > > > Community-sigs mailing list
> > > > > Community-sigs at lists.clamav.net
> > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > > >
> > > > _______________________________________________
> > > > Community-sigs mailing list
> > > > Community-sigs at lists.clamav.net
> > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > >
> > > _______________________________________________
> > > Community-sigs mailing list
> > > Community-sigs at lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > >
> > > http://www.clamav.net/contact.html#ml
> > >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
>

More information about the Community-sigs mailing list