[Community-sigs] new sig Linux.Backdoor.Concbak
Joel Esler (jesler)
jesler at cisco.com
Wed Mar 18 13:59:34 EDT 2015
Please submit Snort rules via the Snort-sigs mailing list for inclusion.
keep in mind that we need a PCAP to test against for the Snort rules (or at least the hash to the malware that we can replicate the traffic with)
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos Group
On Mar 18, 2015, at 12:40 PM, andreisaygo at live.ie<mailto:andreisaygo at live.ie> wrote:
Thank you very much for your feedback, really appreciate it.I'll add it into the system :)
Date: Wed, 18 Mar 2015 12:37:15 -0400
From: azidouemba at sourcefire.com<mailto:azidouemba at sourcefire.com>
To: community-sigs at lists.clamav.net<mailto:community-sigs at lists.clamav.net>
Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
Automated rules would be fine. I went of the Snort rule in the link you
provided:
alert tcp any any -> any any
(msg:"potential malicious traffic http://users.
***.com/fcgbin/cgi_get_portrait.fcg?uins=211284131";
content:"/fcgbin/cgi_get_portrait.fcg?uins=";
content:"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)";
content:"Host: users.***.com";)
Cleaned up rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
potential malicious traffic PIN presentation demo";
flow:to_server,established; content:"/fcgbin/cgi_get_portrait.fcg?uins=";
http_uri; fast_pattern:only; content:"Host|3a| users.***.com";
metadata:service http; classtype:trojan-activity;)
Cleaned up rule split out for easy readability:
Connection: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
Message : MALWARE-CNC potential malicious traffic PIN presentation demo
Flow : to_server,established
Detection :
content:"/fcgbin/cgi_get_portrait.fcg?uins="; http_uri;
fast_pattern:only;
content:"Host|3a| users.***.com";
Metadata :
Policy:
Service: http
Classtype : trojan-activity
- I removed the content match for the User-Agent string because it's really
not necessary in my opinion
- The original rule did not have ports or networks listed nor the flow
keyword. These all work together to help the rule look only at traffic
that is relevant, effecting a performance increase for all of snort.
- I also added service metadata and classtype information. Service
metadata further helps the rule look at relevant data and the classtype is
simply a classification system to help prioritize events coming out of
snort.
- Finally, I added the ruletype "MALWARE-CNC" to the rule message and
cleaned up the rule message to remove invalid characters and make the
message easier to read for the end users.
- On the detection side, I added buffer information to the URI content
match to restrict search space to the URI which both speeds up snort by
looking at less data and also allows snort to provide normalization
services to make it easier to match input data. Now, since this is
hardcoded in malware, normalization isn't as big of a deal since it'll
always look the same (or we wouldn't want to force "uins" to be the first
parameter like we do in that content match), but restricting the search
space to only the URI is useful.
- Also, I added the fast_pattern:only flag to further speed up the
detection by not repeating the content match during the rule evaluation.
There are some nuances to when you would and would not want to use this
directive, so I'm a little hesitant to include it here without proper
explanation but I'll leave it there, anyway.
- Note that the last content match, "Host|3a| users.***.com"; would
literally expect "***" to be in the hostname, which I don't think is
actually what you want, but the code snippets in the presentation were not
immediately obvious of if they were literal strings or placeholders.
Hope this helps.
- Alain
On Wed, Mar 18, 2015 at 11:02 AM, <andreisaygo at live.ie<mailto:andreisaygo at live.ie>> wrote:
Hi Alain,
That sounds even better, thanks :)
Would you accept snort rules generated by automated systems as well ?
For example:
https://dl.mandiant.com/EE/library/MIRcon2014/MIRcon_2014_R&D_Track_PIN_Down_the_Malware.pdf
Regards,
Andrei Saygo
Date: Wed, 18 Mar 2015 10:52:23 -0400
From: azidouemba at sourcefire.com
To: community-sigs at lists.clamav.net
Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
If you know and are interested in providing Snort rules for malware
samples, we will add your rules (again, after testing and tweaking if
necessary) to the community ruleset:
http://blog.snort.org/2013/03/the-sourcefire-vrt-community-ruleset-is.html
You'll of course be given credit for your Snort rules, just as you are
given credit for your ClamAV signatures.
Thank you very much for your contribution,
- Alain
On Wed, Mar 18, 2015 at 10:42 AM, <andreisaygo at live.ie> wrote:
Hi Ben,
Sounds great, thanks. I'll make sure to include similar info (if
possible)
from now on.
Regards,
Andrei Saygo
Date: Wed, 18 Mar 2015 10:39:20 -0400
From: bbaker at sourcefire.com
To: community-sigs at lists.clamav.net
Subject: Re: [Community-sigs] new sig Linux.Backdoor.Concbak
Thanks Andrei! Your sig passed FP check and has been published.
Since you
included really unique network info, I'll make a Snort rule for that
as
well.
On Mon, Mar 16, 2015 at 7:52 PM, <andreisaygo at live.ie> wrote:
Signature:
Linux.Backdoor.Concbak;Target:6;(0&1&2)&(3|4|5);2F676174652E706870;2670636E616D653D00;26687769643D00;756470666C6F6F6400;6261636B636F6E6E65637400;2F6574632F736861646F7700
Hashes:
MD5: 88119dc700357d2d486efb2d1369b105
SHA1: 36361d6472d3c675182a2ca01ceed968d6c8e46b
SHA256:
6b2cc3d64aa719c4910b89dc841f7ae07a5eab481d9ad2ed75059ac5173092b1
Sig0:
/gate.php
Sig1:
&pcname=
Sig2:
&hwid=
Sig3:
udpflood
Sig4:
backconnect
Sig5:
/etc/shadow
Additional details:
Full link:
hxxp://webcrawl.marketplay.be:80//platforms/linux_v6//gate.php
HTTP header:
User-Agent: Firefox.3.5
Referer: http://google.com/
Accept-Encoding: identity
Regards,
Andrei Saygo
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net<mailto:Community-sigs at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
_______________________________________________
Community-sigs mailing list
Community-sigs at lists.clamav.net<mailto:Community-sigs at lists.clamav.net>
http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
http://www.clamav.net/contact.html#ml
More information about the Community-sigs
mailing list