[Snort-sigs] [Emerging-Sigs] Coverage for the "Night Dragon" Trojan

Matthew Jonkman jonkman at ...3525...
Thu Feb 10 16:31:58 EST 2011


Thats what we have now Mike, thanks!

The fixed rules are now available!

Matt

On Feb 10, 2011, at 4:29 PM, Mike Iacovacci wrote:

> The offset and depth are correct at 12 and 4 respectively (offset is from the data payload not the entire frame), however the pcre will not match because the "plain text signature" we are looking for is 'hW$' i.e. \x68\x57\x24\x13 (see traffic sample below)  therefore I would propose the following signature:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:xxxxxx; gid:1; content:"|68 57 24 13|"; rawbytes; offset:12; depth:4; msg:"Night Dragon C&C"; classtype:trojan-activity; reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf; rev:1; ) 
> 
> traffic sample:
> 
> 0000  00 17 f2 e6 88 5e 00 0c  29 64 61 33 08 00 45 00   .....^.. )da3..E.
> 0010  00 38 b9 de 40 00 80 06  bc ca c0 a8 01 5b c0 a8   .8.. at ...253... .....[..
> 0020  01 6b 05 42 00 50 db 8f  01 c1 41 6f 0e d9 50 18   .k.B.P.. ..Ao..P.
> 0030  ff 32 04 b5 00 00 03 50  00 00 00 00 00 c2 63 16   .2.....P ......c.
> 0040  01 00 68 57 24 13                                               ..hW$. 
> 
> 
> - Mike Iacovacci
> 
> 
> 
> 
> On Thu, Feb 10, 2011 at 4:19 PM, Nick Randolph <randolphdavidn at ...2420...> wrote:
> I missed that on the offset and depth.
> 
> On Thu, Feb 10, 2011 at 4:01 PM, Mike Cox <mike.cox52 at ...2420...> wrote:
> > Hmmm ... this sounds like the sig I proposed to Emerging Threats  this
> > morning but got no feedback on.
> >
> > Sourcefire, please let me know where to send the bill.
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > Night Dragon C&C Communication Outbound"; content:"|68 57 24 13|";
> > offset:12; depth:4; http_body;
> > pcre:"/[\x01\x03]\x50[\x00-\xff]+\x68\x57\x24\x13/P";
> > classtype:trojan-activity;
> > reference:url,www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf;
> > sid:2011213456;)
> >
> > -Mike Cox
> >
> > On Thu, Feb 10, 2011 at 2:27 PM, Matt Olney <molney at ...435...> wrote:
> >> Hey ET folks who are here...
> >> If you guys could pass on this information:
> >> The rules provided won't fire on Night Dragon C&C traffic..  The offset:66
> >> is calculated from the beginning of the Layer 2 portion of the packet.  The
> >> data portion (what Snort looks at) starts at offset 54.  The correct offset
> >> for the rule should be 12.  Also, you probably want to add a depth:
> >> qualifier of 3 bytes so you don't false positive further down the packet.
> >> Don't normally check in on you guys, but this was important enough to check.
> >>
> >> Matt
> >> On Thu, Feb 10, 2011 at 2:47 PM, evilghost at ...3397...
> >> <evilghost at ...3397...> wrote:
> >>>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> On 02/10/11 13:41, Joel Esler wrote:
> >>> > Registered users will have the normal 30 day wait.
> >>>
> >>> Joel, I think this is ok to post here...
> >>>
> >>> Those who are looking for coverage who are not VRT subscribers they're in
> >>> Emerging-Threats (http://www.emergingthreats.net).
> >>>
> >>> There's an ongoing discussion here regarding several signatures which have
> >>> been
> >>> proposed for inclusion, see
> >>>
> >>> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html
> >>>
> >>> Disclaimer - I have no vested interest in EmergingThreats, I'm just a
> >>> simple/normal community participant there.
> >>>
> >>> - --
> >>> It has been said that "hate" is a powerful emotion, perhaps that's why I'm
> >>> so
> >>> strong.
> >>>
> >>> - -evilghost
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1.4.10 (GNU/Linux)
> >>>
> >>> iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar
> >>> z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q
> >>> NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj
> >>> sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf
> >>> ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV
> >>> p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/
> >>> JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG
> >>> nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R
> >>> Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ
> >>> BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg
> >>> I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+
> >>> 1sA7AJfGJLvnEdRHpwbi
> >>> =3lHv
> >>> -----END PGP SIGNATURE-----
> >>>
> >>>
> >>>
> >>> ------------------------------------------------------------------------------
> >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> >>> Pinpoint memory and threading errors before they happen.
> >>> Find and fix more than 250 security defects in the development cycle.
> >>> Locate bottlenecks in serial and parallel code that limit performance.
> >>> http://p.sf.net/sfu/intel-dev2devfeb
> >>> _______________________________________________
> >>> Snort-sigs mailing list
> >>> Snort-sigs at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>> http://www.snort.org
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE:
> >> Pinpoint memory and threading errors before they happen.
> >> Find and fix more than 250 security defects in the development cycle.
> >> Locate bottlenecks in serial and parallel code that limit performance.
> >> http://p.sf.net/sfu/intel-dev2devfeb
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >> http://www.snort.org
> >>
> >>
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at ...3335...
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110210/319e0c37/attachment.html>


More information about the Snort-sigs mailing list