[Snort-sigs] questions about sid 149

pbsarnac at ...427... pbsarnac at ...427...
Sat Mar 9 23:01:02 EST 2002


I was looking at the sig for sid 149, and I'm not sure it's a useful sig.

alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat
3.1 Client Sending Data to Server on Network"; content:"|00 23|";
reference:arachnids,106; sid:149; classtype:misc-activity; rev:3;)

I've done packet captures on just about all of DeepThroat 3.1's network
activity, and there are numerous instances where it sends data to the
trojaned machine on port 3150. In none of those different examples, was I
able to find |00 23|.  The port 3150 traffic is usually used to send
additional data... the port 2140 traffic is used to send control codes to
the server, telling the server what command is to be executed, and the 3150
traffic includes additional data, such as file names. For example, the
following tells the server to access a URL and download a file, then save
the file to the local disk.

Control code 100 sent to UDP port 2140 indicates a web download:
------------------------------------------
0000  00 50 56 ff ae cb 00 50 56 fe 18 10 08 00 45 00   .PV....PV.....E.
0010  00 1f 49 00 00 00 80 11 9b 72 c0 a8 ea 84 c0 a8   ..I......r......
0020  ea 85 ea 60 08 5c 00 0b 55 8f 31 30 30 10 00 01   ...`.\..U.100...
0030  00 00 00 00 00 01 20 46 47 45 4e 46               ...... FGENF

The URL is sent to UDP port 3150.
-------------------------------------------
0000  00 50 56 ff ae cb 00 50 56 fe 18 10 08 00 45 00   .PV....PV.....E.
0010  00 37 4a 00 00 00 80 11 9a 5a c0 a8 ea 84 c0 a8   .7J......Z......
0020  ea 85 ea 60 0c 4e 00 23 b7 c2 77 77 77 2e 73 6f   ...`.N.#..www.so
0030  6d 65 77 68 65 72 65 2e 63 6f 6d 5c 66 75 6e 6e   mewhere.com\funn
0040  79 2e 65 78 65                                    y.exe

Control code 101 sent to UDP port 2140 tells the server to save the
downloaded file.
-------------------------------------------
0000  00 50 56 ff ae cb 00 50 56 fe 18 10 08 00 45 00   .PV....PV.....E.
0010  00 1f 4b 00 00 00 80 11 99 72 c0 a8 ea 84 c0 a8   ..K......r......
0020  ea 85 ea 60 08 5c 00 0b 54 8f 31 30 31 10 00 01   ...`.\..T.101...
0030  00 00 00 00 00 01 20 41 42 41 43 46               ...... ABACF

The save location is sent to UDP port 3150.
-------------------------------------------
0000  00 50 56 ff ae cb 00 50 56 fe 18 10 08 00 45 00   .PV....PV.....E.
0010  00 2d 4c 00 00 00 80 11 98 64 c0 a8 ea 84 c0 a8   .-L......d......
0020  ea 85 ea 60 0c 4e 00 19 04 ae 63 3a 5c 74 65 6d   ...`.N....c:\tem
0030  70 5c 66 75 6e 6e 79 2e 65 78 65 46               p\funny.exeF

I was not the original author of this signature, and I may be missing
something important, but I don't think the signature in it's current form
would ever fire except on accident (i.e. the data sent just happened to
contain |00 23|). There looks to be enough 3150 traffic that if you were
really concerned about DeepThroat, you may want to capture all udp traffic
from $EXTERNAL_NET 60000 to $HOME_NET 3150. Since this signature seems to
be an attempt to catch generic data from a DeepThroat client to a
DeepThroat server, I'd recommend dropping the content rule from the sig and
ending up with this:

alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat
3.1 Client Sending Data to Server on Network"; reference:arachnids,106;
sid:149; classtype:misc-activity; rev:3;)

There would probably be a low incidence of false positives, given the
unusual high port numbers for both client and server. On the other hand,
there are about a billion other signatures for this trojan, and maybe it
would just be worth it to shitcan this one. :)

My .02   If someone knows what's really going on here, and I'm completely
wrong, please let me know.

Thanks,
pat s.





More information about the Snort-sigs mailing list