[Snort-sigs] Snort Ebury SSH Rootkit

Y M snort at ...3751...
Sat Feb 22 14:45:13 EST 2014


Another rule suggested/authored by ESET on welivesecurity. Sig is at the bottom:
 
http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
 
alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; reference:url,http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/; classtype:trojan-activity; sid:1000001; rev:1;)
 
> Date: Mon, 17 Feb 2014 13:33:31 +0100
> From: rmkml at ...174...
> To: snort at ...3751...; lukas.matt at ...525...
> CC: snort-sigs at lists.sourceforge.net; rmkml at ...174...
> Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> 
> Thx you for sharing,
> 
> I'm curious if this rootkit use always same dns transaction ID please ?
> 
> This sig fixed 0x120b (4619 dec)
> 
> Two comments:
> - extra [] on [\x00]{6}
> - extra | on [\x01|\x02|\x03]
> 
> Regards
> @Rmkml
> 
> 
> On Mon, 17 Feb 2014, Y M wrote:
> 
> > I can't help with that :).
> >  
> > YM
> >  
> > 
> > ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
> > Date: Mon, 17 Feb 2014 11:35:52 +0100
> > From: lukas.matt at ...525...
> > To: snort at ...3751...
> > CC: snort-sigs at lists.sourceforge.net
> > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> > 
> > Thanks YM!
> > 
> > But if I see that correctly there was no answer whether it will be included or not right (and when)?
> > 
> > Cheers,
> > Lukas
> > 
> > On 02/17/2014 11:30 AM, Y M wrote:
> >       Hi Lukas,
> >        
> >       This has been posted to the list 2 days ago :).
> >        
> >       http://seclists.org/snort/2014/q1/364
> >        
> >       YM
> >        
> > 
> > ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
> >       Date: Mon, 17 Feb 2014 11:26:03 +0100
> >       From: lukas.matt at ...525...
> >       To: snort-sigs at lists.sourceforge.net
> >       Subject: [Snort-sigs] Snort Ebury SSH Rootkit
> >
> >       Hi guys,
> >
> >       the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit.
> >       Are you aware of that rule and when will it be included into the pattern-set.
> >
> >             https://www.cert-bund.de/ebury-faq
> >
> >             alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
> >             (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ classtype:trojan-activity; sid:10001; rev:1;)
> > 
> >
> >       Cheers,
> >       Lukas
> > 
> > 
> > -- 
> > Lukas Matt
> > Deep Packet Inspection Researcher, RnD
> > 
> > tel: +49-721-25516-322, cell: +49-174-3440-555
> > 
> > Sophos Technology GmbH 
> > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > 
> > SOPHOS Security made simple
> > 
> > ---
> > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
> > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> >
> >       ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly
> >       Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> >       _______________________________________________ Snort-sigs mailing list Snort-sigs at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit
> >       http://blog.snort.org for the latest news about Snort!
> > 
> > 
> > 
> > -- 
> > Lukas Matt
> > Deep Packet Inspection Researcher, RnD
> > 
> > tel: +49-721-25516-322, cell: +49-174-3440-555
> > 
> > Sophos Technology GmbH 
> > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > 
> > SOPHOS Security made simple
> > 
> > ---
> > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
> > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> > 
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140222/3590d9e4/attachment.html>


More information about the Snort-sigs mailing list