[Snort-sigs] Snort Ebury SSH Rootkit

Joel Esler (jesler) jesler at ...3865...
Sun Feb 23 08:12:54 EST 2014


We received permission to use the other rule from the author.  We're putting it through QA now.  We can't just take people's rules.  

--
Joel Esler
Sent from my iPhone

> On Feb 22, 2014, at 14:48, "Y M" <snort at ...3751...> wrote:
> 
> Another rule suggested/authored by ESET on welivesecurity. Sig is at the bottom:
>  
> http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
>  
> alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"Linux/Ebury SSH backdoor activty"; content:"SSH-2.0"; isdataat:20,relative; pcre:"/^SSH-2\.0-[0-9a-f]{22,46}/sm"; reference:url,http://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/; classtype:trojan-activity; sid:1000001; rev:1;)
> 
>  
> > Date: Mon, 17 Feb 2014 13:33:31 +0100
> > From: rmkml at ...174...
> > To: snort at ...3751...; lukas.matt at ...525...
> > CC: snort-sigs at lists.sourceforge.net; rmkml at ...174...
> > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> > 
> > Thx you for sharing,
> > 
> > I'm curious if this rootkit use always same dns transaction ID please ?
> > 
> > This sig fixed 0x120b (4619 dec)
> > 
> > Two comments:
> > - extra [] on [\x00]{6}
> > - extra | on [\x01|\x02|\x03]
> > 
> > Regards
> > @Rmkml
> > 
> > 
> > On Mon, 17 Feb 2014, Y M wrote:
> > 
> > > I can't help with that :).
> > >  
> > > YM
> > >  
> > > 
> > > ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
> > > Date: Mon, 17 Feb 2014 11:35:52 +0100
> > > From: lukas.matt at ...525...
> > > To: snort at ...3751...
> > > CC: snort-sigs at lists.sourceforge.net
> > > Subject: Re: [Snort-sigs] Snort Ebury SSH Rootkit
> > > 
> > > Thanks YM!
> > > 
> > > But if I see that correctly there was no answer whether it will be included or not right (and when)?
> > > 
> > > Cheers,
> > > Lukas
> > > 
> > > On 02/17/2014 11:30 AM, Y M wrote:
> > > Hi Lukas,
> > >  
> > > This has been posted to the list 2 days ago :).
> > >  
> > > http://seclists.org/snort/2014/q1/364
> > >  
> > > YM
> > >  
> > > 
> > > ____________________________________________________________________________________________________________________________________________________________________________________________________________________________
> > > Date: Mon, 17 Feb 2014 11:26:03 +0100
> > > From: lukas.matt at ...525...
> > > To: snort-sigs at lists.sourceforge.net
> > > Subject: [Snort-sigs] Snort Ebury SSH Rootkit
> > >
> > > Hi guys,
> > >
> > > the German intelligence agency wrote some Snort rule for detecting the Ebury Rootkit.
> > > Are you aware of that rule and when will it be included into the pattern-set.
> > >
> > > https://www.cert-bund.de/ebury-faq
> > >
> > > alert udp $HOME_NET any -> $EXTERNAL_NET 53 \ (msg:"Ebury SSH Rootkit data exfiltration";\ content:"|12 0b 01 00 00 01|"; depth:6;\ pcre:"/^\x12\x0b\x01\x00\x00\x01[\x00]{6}.[a-f0-9]{6,}\
> > > (([\x01|\x02|\x03]\d{1,3}){4}|\x03::1)\x00\x00\x01/Bs";\ reference:url,https://www.cert-bund.de/ebury-faq;\ classtype:trojan-activity; sid:10001; rev:1;)
> > > 
> > >
> > > Cheers,
> > > Lukas
> > > 
> > > 
> > > -- 
> > > Lukas Matt
> > > Deep Packet Inspection Researcher, RnD
> > > 
> > > tel: +49-721-25516-322, cell: +49-174-3440-555
> > > 
> > > Sophos Technology GmbH 
> > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > > 
> > > SOPHOS Security made simple
> > > 
> > > ---
> > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
> > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> > >
> > > ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly
> > > Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> > > _______________________________________________ Snort-sigs mailing list Snort-sigs at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit
> > > http://blog.snort.org for the latest news about Snort!
> > > 
> > > 
> > > 
> > > -- 
> > > Lukas Matt
> > > Deep Packet Inspection Researcher, RnD
> > > 
> > > tel: +49-721-25516-322, cell: +49-174-3440-555
> > > 
> > > Sophos Technology GmbH 
> > > Amalienbadstr. 41/Bau 52, 76227 Karlsruhe, Germany
> > > 
> > > SOPHOS Security made simple
> > > 
> > > ---
> > > Sophos Technology GmbH, Commercial Register: Mannheim HRB 712658
> > > Headquarter Location: Amalienbadstr. 41/Bau 52 | 76227 Karlsruhe | Germany 
> > > Executive Board: Nicholas Bray, Pino von Kienlin, Joachim Frost, G?nter Junk
> > > 
> > >
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140223/ce3cce5e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140223/ce3cce5e/attachment.bin>


More information about the Snort-sigs mailing list