[Community-sigs] new sig Linux.Backdoor.Concbak
andreisaygo at live.ie
andreisaygo at live.ie
Wed Mar 18 12:40:53 EDT 2015
Thank you very much for your feedback, really appreciate it.I'll add it into the system :)
> Date: Wed, 18 Mar 2015 12:37:15 -0400
> From: azidouemba at sourcefire.com
> To: community-sigs at lists.clamav.net
> Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
>
> Automated rules would be fine. I went of the Snort rule in the link you
> provided:
>
> alert tcp any any -> any any
> (msg:"potential malicious traffic http://users.
> ***.com/fcgbin/cgi_get_portrait.fcg?uins=211284131";
> content:"/fcgbin/cgi_get_portrait.fcg?uins=";
> content:"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)";
> content:"Host: users.***.com";)
>
>
> Cleaned up rule:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> potential malicious traffic PIN presentation demo";
> flow:to_server,established; content:"/fcgbin/cgi_get_portrait.fcg?uins=";
> http_uri; fast_pattern:only; content:"Host|3a| users.***.com";
> metadata:service http; classtype:trojan-activity;)
>
>
> Cleaned up rule split out for easy readability:
>
> Connection: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> Message : MALWARE-CNC potential malicious traffic PIN presentation demo
> Flow : to_server,established
> Detection :
> content:"/fcgbin/cgi_get_portrait.fcg?uins="; http_uri;
> fast_pattern:only;
> content:"Host|3a| users.***.com";
> Metadata :
> Policy:
> Service: http
> Classtype : trojan-activity
>
>
>
> - I removed the content match for the User-Agent string because it's really
> not necessary in my opinion
> - The original rule did not have ports or networks listed nor the flow
> keyword. These all work together to help the rule look only at traffic
> that is relevant, effecting a performance increase for all of snort.
> - I also added service metadata and classtype information. Service
> metadata further helps the rule look at relevant data and the classtype is
> simply a classification system to help prioritize events coming out of
> snort.
> - Finally, I added the ruletype "MALWARE-CNC" to the rule message and
> cleaned up the rule message to remove invalid characters and make the
> message easier to read for the end users.
> - On the detection side, I added buffer information to the URI content
> match to restrict search space to the URI which both speeds up snort by
> looking at less data and also allows snort to provide normalization
> services to make it easier to match input data. Now, since this is
> hardcoded in malware, normalization isn't as big of a deal since it'll
> always look the same (or we wouldn't want to force "uins" to be the first
> parameter like we do in that content match), but restricting the search
> space to only the URI is useful.
> - Also, I added the fast_pattern:only flag to further speed up the
> detection by not repeating the content match during the rule evaluation.
> There are some nuances to when you would and would not want to use this
> directive, so I'm a little hesitant to include it here without proper
> explanation but I'll leave it there, anyway.
> - Note that the last content match, "Host|3a| users.***.com"; would
> literally expect "***" to be in the hostname, which I don't think is
> actually what you want, but the code snippets in the presentation were not
> immediately obvious of if they were literal strings or placeholders.
>
>
> Hope this helps.
>
> - Alain
>
> On Wed, Mar 18, 2015 at 11:02 AM, <andreisaygo at live.ie> wrote:
>
> > Hi Alain,
> >
> > That sounds even better, thanks :)
> >
> > Would you accept snort rules generated by automated systems as well ?
> > For example:
> > https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_R&D_Track_PIN_Down_the_Malware.pdf
> >
> > Regards,
> > Andrei Saygo
> >
> > > Date: Wed, 18 Mar 2015 10:52:23 -0400
> > > From: azidouemba at sourcefire.com
> > > To: community-sigs at lists.clamav.net
> > > Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
> > >
> > > If you know and are interested in providing Snort rules for malware
> > > samples, we will add your rules (again, after testing and tweaking if
> > > necessary) to the community ruleset:
> > >
> > >
> > http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html
> > >
> > > You'll of course be given credit for your Snort rules, just as you are
> > > given credit for your ClamAV signatures.
> > >
> > > Thank you very much for your contribution,
> > >
> > > - Alain
> > >
> > > On Wed, Mar 18, 2015 at 10:42 AM, <andreisaygo at live.ie> wrote:
> > >
> > > > Hi Ben,
> > > > Sounds great, thanks. I'll make sure to include similar info (if
> > possible)
> > > > from now on.
> > > >
> > > > Regards,
> > > > Andrei Saygo
> > > > > Date: Wed, 18 Mar 2015 10:39:20 -0400
> > > > > From: bbaker at sourcefire.com
> > > > > To: community-sigs at lists.clamav.net
> > > > > Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
> > > > >
> > > > > Thanks Andrei! Your sig passed FP check and has been published.
> > Since you
> > > > > included really unique network info, I'll make a Snort rule for that
> > as
> > > > > well.
> > > > >
> > > > > On Mon, Mar 16, 2015 at 7:52 PM, <andreisaygo at live.ie> wrote:
> > > > >
> > > > > > Signature:
> > > > > >
> > > > > >
> > > >
> > Linux.Backdoor.Concbak;Target:6;(0&1&2)&(3|4|5);2F676174652E706870;2670636E616D653D00;26687769643D00;756470666C6F6F6400;6261636B636F6E6E65637400;2F6574632F736861646F7700
> > > > > >
> > > > > > Hashes:
> > > > > > MD5: 88119dc700357d2d486efb2d1369b105
> > > > > > SHA1: 36361d6472d3c675182a2ca01ceed968d6c8e46b
> > > > > > SHA256:
> > > > 6b2cc3d64aa719c4910b89dc841f7ae07a5eab481d9ad2ed75059ac5173092b1
> > > > > >
> > > > > > Sig0:
> > > > > > /gate.php
> > > > > >
> > > > > > Sig1:
> > > > > > &pcname=
> > > > > >
> > > > > > Sig2:
> > > > > > &hwid=
> > > > > >
> > > > > > Sig3:
> > > > > > udpflood
> > > > > > Sig4:
> > > > > > backconnect
> > > > > > Sig5:
> > > > > > /etc/shadow
> > > > > >
> > > > > > Additional details:
> > > > > > Full link:
> > > > > > hxxp://webcrawl.marketplay.be:80//platforms/linux_v6//gate.php
> > > > > >
> > > > > > HTTP header:
> > > > > > User-Agent: Firefox.3.5
> > > > > > Referer: http://google.com/
> > > > > > Accept-Encoding: identity
> > > > > >
> > > > > >
> > > > > > Regards,
> > > > > > Andrei Saygo
> > > > > > _______________________________________________
> > > > > > Community-sigs mailing list
> > > > > > Community-sigs at lists.clamav.net
> > > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > > > > >
> > > > > > http://www.clamav.net/contact.html#ml
> > > > > >
> > > > > _______________________________________________
> > > > > Community-sigs mailing list
> > > > > Community-sigs at lists.clamav.net
> > > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > > > >
> > > > > http://www.clamav.net/contact.html#ml
> > > >
> > > > _______________________________________________
> > > > Community-sigs mailing list
> > > > Community-sigs at lists.clamav.net
> > > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > > >
> > > > http://www.clamav.net/contact.html#ml
> > > >
> > > _______________________________________________
> > > Community-sigs mailing list
> > > Community-sigs at lists.clamav.net
> > > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> > >
> > > http://www.clamav.net/contact.html#ml
> >
> > _______________________________________________
> > Community-sigs mailing list
> > Community-sigs at lists.clamav.net
> > http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
> >
> > http://www.clamav.net/contact.html#ml
> >
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list