[Snort-sigs] [Emerging-Sigs] Coverage for the "Night Dragon" Trojan

Mike Iacovacci mcse99 at ...2420...
Thu Feb 10 16:29:42 EST 2011


The offset and depth are correct at 12 and 4 respectively (offset is from
the data payload not the entire frame), however the pcre will not match
because the "plain text signature" we are looking for is 'hW$' i.e.
\x68\x57\x24\x13 (see traffic sample below)  therefore I would propose the
following signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (sid:xxxxxx; gid:1;
content:"|68 57 24 13|"; rawbytes; offset:12; depth:4; msg:"Night Dragon
C&C"; classtype:trojan-activity; reference:url,
www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf;
rev:1; )

traffic sample:

0000  00 17 f2 e6 88 5e 00 0c  29 64 61 33 08 00 45 00   .....^.. )da3..E.
0010  00 38 b9 de 40 00 80 06  bc ca c0 a8 01 5b c0 a8   .8.. at ...253... .....[..
0020  01 6b 05 42 00 50 db 8f  01 c1 41 6f 0e d9 50 18   .k.B.P.. ..Ao..P.
0030  ff 32 04 b5 00 00 03 50  00 00 00 00 00 c2 63 16   .2.....P ......c.
0040  01 00 68 57 24 13                                               ..hW$.



- Mike Iacovacci




On Thu, Feb 10, 2011 at 4:19 PM, Nick Randolph <randolphdavidn at ...2420...>wrote:

> I missed that on the offset and depth.
>
> On Thu, Feb 10, 2011 at 4:01 PM, Mike Cox <mike.cox52 at ...2420...> wrote:
> > Hmmm ... this sounds like the sig I proposed to Emerging Threats  this
> > morning but got no feedback on.
> >
> > Sourcefire, please let me know where to send the bill.
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > Night Dragon C&C Communication Outbound"; content:"|68 57 24 13|";
> > offset:12; depth:4; http_body;
> > pcre:"/[\x01\x03]\x50[\x00-\xff]+\x68\x57\x24\x13/P";
> > classtype:trojan-activity;
> > reference:url,
> www.mcafee.com/us/resources/white-papers/wp-global-energy-cyberattacks-night-dragon.pdf
> ;
> > sid:2011213456;)
> >
> > -Mike Cox
> >
> > On Thu, Feb 10, 2011 at 2:27 PM, Matt Olney <molney at ...435...>
> wrote:
> >> Hey ET folks who are here...
> >> If you guys could pass on this information:
> >> The rules provided won't fire on Night Dragon C&C traffic..  The
> offset:66
> >> is calculated from the beginning of the Layer 2 portion of the packet.
>  The
> >> data portion (what Snort looks at) starts at offset 54.  The correct
> offset
> >> for the rule should be 12.  Also, you probably want to add a depth:
> >> qualifier of 3 bytes so you don't false positive further down the
> packet.
> >> Don't normally check in on you guys, but this was important enough to
> check.
> >>
> >> Matt
> >> On Thu, Feb 10, 2011 at 2:47 PM, evilghost at ...3397...
> >> <evilghost at ...3397...> wrote:
> >>>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> On 02/10/11 13:41, Joel Esler wrote:
> >>> > Registered users will have the normal 30 day wait.
> >>>
> >>> Joel, I think this is ok to post here...
> >>>
> >>> Those who are looking for coverage who are not VRT subscribers they're
> in
> >>> Emerging-Threats (http://www.emergingthreats.net).
> >>>
> >>> There's an ongoing discussion here regarding several signatures which
> have
> >>> been
> >>> proposed for inclusion, see
> >>>
> >>>
> http://lists.emergingthreats.net/pipermail/emerging-sigs/2011-February/011896.html
> >>>
> >>> Disclaimer - I have no vested interest in EmergingThreats, I'm just a
> >>> simple/normal community participant there.
> >>>
> >>> - --
> >>> It has been said that "hate" is a powerful emotion, perhaps that's why
> I'm
> >>> so
> >>> strong.
> >>>
> >>> - -evilghost
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1.4.10 (GNU/Linux)
> >>>
> >>> iQIcBAEBAgAGBQJNVEDOAAoJENgimYXu6xOHeXYP+wUttel/Ao8ulybFgG1iS3ar
> >>> z1lzjvTybh5DgGVIJZ5D7QyLgsaYN4A10p6TzV5a914TuL1eEGmZLxfNjPt/et+q
> >>> NUE8dZy3jW8M5JTgVZ1tl/aBVp798XG5h5JE57yPWdzo0gzyiOkwiZponS/HS1Lj
> >>> sSakxNLjWRLNhCifnREW7iNY9TOmRwuGNIcfkFs0SgCqOE+ED2aR7Ko0XEPKOaMf
> >>> ghoystILWO1uc08dDbeRDPq4BrDoBQZ3/cUDeMb/MW/BNGPdHsxlpETVEbQCg4LV
> >>> p7NgYjJOWr6xrUxg5AKwxGkDneJrv8lj0NGT2FgywvBKevPIs32UGEaqqyY7LDX/
> >>> JGReyADfdBd/TvGFJYgQ5jlIYsRL34517/+sfImHd19Ys4nZck6RL2+L+IINVSgG
> >>> nozZ+fqG46mmZgCiVHwF73AzvSNCbqfU34ZbS+H19sGLVBbS0wYoGEcwKFDbax6R
> >>> Kw7Jbw8ecYrvH1izkE0exU8K2/1LoAptfn0Gz231MMpLg/ldInqj/jzW+FCfbvXJ
> >>> BDZMn0rqah3kXEq+mtt3tVX2bCn/ODAJ0iNtuR55goNLsrGAy6imrpzJdTasQeHg
> >>> I2Fsz9etzLlUeyAW726AdbBONTZtYIuY2QfwyFQaIc9fLlC0KZEoycK1srQJGeY+
> >>> 1sA7AJfGJLvnEdRHpwbi
> >>> =3lHv
> >>> -----END PGP SIGNATURE-----
> >>>
> >>>
> >>>
> >>>
> ------------------------------------------------------------------------------
> >>> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio
> XE:
> >>> Pinpoint memory and threading errors before they happen.
> >>> Find and fix more than 250 security defects in the development cycle.
> >>> Locate bottlenecks in serial and parallel code that limit performance.
> >>> http://p.sf.net/sfu/intel-dev2devfeb
> >>> _______________________________________________
> >>> Snort-sigs mailing list
> >>> Snort-sigs at lists.sourceforge.net
> >>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >>> http://www.snort.org
> >>
> >>
> >>
> ------------------------------------------------------------------------------
> >> The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio
> XE:
> >> Pinpoint memory and threading errors before they happen.
> >> Find and fix more than 250 security defects in the development cycle.
> >> Locate bottlenecks in serial and parallel code that limit performance.
> >> http://p.sf.net/sfu/intel-dev2devfeb
> >> _______________________________________________
> >> Snort-sigs mailing list
> >> Snort-sigs at lists.sourceforge.net
> >> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >> http://www.snort.org
> >>
> >>
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at ...3335...
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> > The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
> >
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3335...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20110210/47bcb28a/attachment.html>


More information about the Snort-sigs mailing list