[Snort-sigs] Snort Ebury SSH Rootkit

rmkml rmkml at ...174...
Mon Feb 17 07:33:31 EST 2014


Thx you for sharing,

I'm curious if this rootkit use always same dns transaction ID please ?

This sig fixed 0x120b (4619 dec)

Two comments:
- extra [] on [\x00]{6}
- extra | on [\x01|\x02|\x03]

Regards
@Rmkml


On Mon, 17 Feb 2014, Y M wrote:

> I can't help with that :).
>  
> YM
>  
> 
> ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
> Date: Mon, 17 Feb 2014 11:35:52 +0100
> From: lukas.matt at ...525...
> To: snort at ...3751...
> CC: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> 
> Thanks YM!
> 
> But if I see that correctly there was no answer whether it will be included or not right (and when)?
> 
> Cheers,
> Lukas
> 
> On 02/17/2014 11:30 AM, Y M wrote:
>       Hi Lukas,
>        
>       This has been posted to the list 2 days ago :).
>        
>       http://seclists.org/snort/2014/q1/364
>        
>       YM
>        
> 
> ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
>       Date: Mon, 17 Feb 2014 11:26:03 +0100
>       From: lukas.matt at ...525...
>       To: snort-sigs at lists.sourceforge.net
>       Subject: [Snort-sigs] Snort Ebury SSH Rootkit
>
>       Hi guys,
>
>       the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit.
>       Are you aware of that rule and when will it be included into the pattern-set.
>
>             https://www.cert-bund.de/ebury-faq
>
>             alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
>             (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ classtype:trojan-activity; sid:10001; rev:1;)
> 
>
>       Cheers,
>       Lukas
> 
> 
> -- 
> Lukas Matt
> Deep Packet Inspection Researcher, RnD
> 
> tel: +49-721-25516-322, cell: +49-174-3440-555
> 
> Sophos Technology GmbH 
> Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> 
> SOPHOS Security made simple
> 
> ---
> Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
> Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
>
>       ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly
>       Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>       _______________________________________________ Snort-sigs mailing list Snort-sigs at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit
>       http://blog.snort.org for the latest news about Snort!
> 
> 
> 
> -- 
> Lukas Matt
> Deep Packet Inspection Researcher, RnD
> 
> tel: +49-721-25516-322, cell: +49-174-3440-555
> 
> Sophos Technology GmbH 
> Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> 
> SOPHOS Security made simple
> 
> ---
> Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
> Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> 
>


More information about the Snort-sigs mailing list