[Snort-sigs] Snort Ebury SSH Rootkit

Y M snort at ...3751...
Sat Feb 22 20:49:00 EST 2014


Hi Rmkml,
 
Thank you for the good input. This is how the rule came from the reference, I just copied it, certainly there is room for improvement. 
 
According the to the reference, this is an inbound packet, where the operators connect to the backdoor on the compromised box.
 
YM
 
> Date: Sat, 22 Feb 2014 21:02:59 +0100
> From: rmkml at ...174...
> To: snort at ...3751...
> CC: lukas.matt at ...525...; snort-sigs at lists.sourceforge.net; rmkml at ...3868.....
> Subject: RE: [Snort-sigs] Snort Ebury SSH Rootkit
> 
> Thx you YM for sharing,
> 
> On msg, maybe add "i" on activty.
> 
> add flow:to_server,established;
> 
> add depth:7 after first content
> 
> add content:!"|0A|"; within:20; distance:0; after isdataat
> 
> I don't known is a backdoor are inboud (on your example to $HOME_NET) or outbound ? (to $EXTERNAL_NET)
> 
> Regards
> @Rmkml
> 
> 
> 
> On Sat, 22 Feb 2014, Y M wrote:
> 
> > Another rule suggested/authored by ESET on welivesecurity. Sig is at the bottom:
> >  
> > http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
> >  
> > 
> > alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; reference:url,http://www.welivesecurity.com/2014
> > /02/21/an-in-depth-analysis-of-linuxebury/; classtype:trojan-activity; sid:1000001; rev:1;)
> > 
> >  
> > > Date: Mon, 17 Feb 2014 13:33:31 +0100
> > > From: rmkml at ...174...
> > > To: snort at ...3751...; lukas.matt at ...525...
> > > CC: snort-sigs at lists.sourceforge.net; rmkml at ...174...
> > > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> > >
> > > Thx you for sharing,
> > >
> > > I'm curious if this rootkit use always same dns transaction ID please ?
> > >
> > > This sig fixed 0x120b (4619 dec)
> > >
> > > Two comments:
> > > - extra [] on [\x00]{6}
> > > - extra | on [\x01|\x02|\x03]
> > >
> > > Regards
> > > @Rmkml
> > >
> > >
> > > On Mon, 17 Feb 2014, Y M wrote:
> > >
> > > > I can't help with that :).
> > > >  
> > > > YM
> > > >  
> > > >
> > > >___________________________________________________________________________________________________________________________________________________________________________________________________________________________
> > _
> > > > Date: Mon, 17 Feb 2014 11:35:52 +0100
> > > > From: lukas.matt at ...525...
> > > > To: snort at ...3751...
> > > > CC: snort-sigs at lists.sourceforge.net
> > > > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> > > >
> > > > Thanks YM!
> > > >
> > > > But if I see that correctly there was no answer whether it will be included or not right (and when)?
> > > >
> > > > Cheers,
> > > > Lukas
> > > >
> > > > On 02/17/2014 11:30 AM, Y M wrote:
> > > > Hi Lukas,
> > > >  
> > > > This has been posted to the list 2 days ago :).
> > > >  
> > > > http://seclists.org/snort/2014/q1/364
> > > >  
> > > > YM
> > > >  
> > > >
> > > >___________________________________________________________________________________________________________________________________________________________________________________________________________________________
> > _
> > > > Date: Mon, 17 Feb 2014 11:26:03 +0100
> > > > From: lukas.matt at ...525...
> > > > To: snort-sigs at lists.sourceforge.net
> > > > Subject: [Snort-sigs] Snort Ebury SSH Rootkit
> > > >
> > > > Hi guys,
> > > >
> > > > the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit.
> > > > Are you aware of that rule and when will it be included into the pattern-set.
> > > >
> > > > https://www.cert-bund.de/ebury-faq
> > > >
> > > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
> > > > (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ classtype:trojan-activity; sid:10001; rev:1;)
> > > >
> > > >
> > > > Cheers,
> > > > Lukas
> > > >
> > > >
> > > > --
> > > > Lukas Matt
> > > > Deep Packet Inspection Researcher, RnD
> > > >
> > > > tel: +49-721-25516-322, cell: +49-174-3440-555
> > > >
> > > > Sophos Technology GmbH
> > > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > > >
> > > > SOPHOS Security made simple
> > > >
> > > > ---
> > > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> > > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Lukas Matt
> > > > Deep Packet Inspection Researcher, RnD
> > > >
> > > > tel: +49-721-25516-322, cell: +49-174-3440-555
> > > >
> > > > Sophos Technology GmbH
> > > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > > >
> > > > SOPHOS Security made simple
> > > >
> > > > ---
> > > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany
> > > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> > > >
> > > >
> > 
> >
 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140223/2ef4ea6a/attachment.html>


More information about the Snort-sigs mailing list