[Snort-sigs] SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound

Joel Esler (jesler) jesler at ...3865...
Fri Oct 10 09:02:00 EDT 2014


Thanks joe.  We'll have a look. 

--
Joel Esler
iPhone

> On Oct 10, 2014, at 08:52, Joe Gedeon <joe.gedeon at ...2420...> wrote:
> 
> We are getting a number of hits for this with Xerox printers connecting out to "layer7-prod.idns.xerox.com".  Looking at the reference URL in the signature we are trying to figure out if there is a match here.  The cert does match what the signature is looking for, but the reference url does not mention anything about ssl connections or certs.  Could there be another reference url that was used to write this rule?   
> 
> Line 88 of the cert paste is the matching line that rule is triggering one.  No other IOC's have been seen that match the reference url.
> 
> Rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 08|"; content:"|0A|Some-State1!0"; within:14; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/; classtype:trojan-activity; sid:32124; rev:1;)
> 
> 
> Cert:
> openssl s_client -connect 13.13.56.126:443
> CONNECTED(00000003)
> depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN=gateway.websrvs.xerox.com
>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
>  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
>  2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIMEjCCCvqgAwIBAgIQUkZPlDqIksH99dsBjAAKqDANBgkqhkiG9w0BAQUFADCB
> iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
> A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
> BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTE0
> MDUwOTAwMDAwMFoXDTE1MDUwOTIzNTk1OVowggEXMQswCQYDVQQGEwJVUzEOMAwG
> A1UEERMFMDY4NTAxFDASBgNVBAgTC0Nvbm5lY3RpY3V0MRAwDgYDVQQHEwdOb3J3
> YWxrMRkwFwYDVQQJExA0NSBHbG92ZXIgQXZlbnVlMRowGAYDVQQKExFYZXJveCBD
> b3Jwb3JhdGlvbjEbMBkGA1UECxMSV29ybGQgSGVhZHF1YXJ0ZXJzMTcwNQYDVQQL
> Ey5Jc3N1ZWQgdGhyb3VnaCBYZXJveCBDb3Jwb3JhdGlvbiBFLVBLSSBNYW5hZ2Vy
> MR8wHQYDVQQLExZVbmlmaWVkIENvbW11bmljYXRpb25zMSIwIAYDVQQDExlnYXRl
> d2F5LndlYnNydnMueGVyb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEA55X7kBDiOXYuZzoUGiWUv6MLdWDQv1jUPjh+9nP1EEPcmaiTviZGzDjR
> sSBcaZ7s/dAHpuaGk6cYq/yj4T0x65ctfaxXawTXeAtb+5c89vzur2K8hLdl14Xc
> bjxVHWD0eybuNPdyGuOGURaGuuA0IWSQlWI7eGvMqZyE6Jks76DMXsZ/VAg/ewtZ
> AqYLnFVXB8kxCY7xaChun65xDEzVrpV87zJgHX+TTupal0rhIsS1/2dxj6qFVLrV
> xal5Ba9OKKzCX4EZNlD1IYctjcXZyf1oOXPbdLWJLRsuKTAZ+pViLLINF6Wcs8zv
> 4BbwKiviO3aTVyR/QJ5Z5Oq2JHi7BwIDAQABo4IH4zCCB98wHwYDVR0jBBgwFoAU
> P9W10NZEeVBKF6ObjErcuLAiZGswHQYDVR0OBBYEFJBATBPDLWyHubszz5WAS7YC
> 8/NwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
> AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG
> CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
> AgIwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
> T0RPSGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcmwwgYAGCCsGAQUFBwEB
> BHQwcjBKBggrBgEFBQcwAoY+aHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RP
> SGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0
> dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTCCBjgGA1UdEQSCBi8wggYrghlnYXRld2F5
> LndlYnNydnMueGVyb3guY29tgiBnYXRlc3RhZ2UtdGVzdC53ZWJzcnZzLnhlcm94
> LmNvbYIbZ2F0ZXN0YWdlLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwMS53
> ZWJzcnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDIud2Vic3J2cy54ZXJveC5jb22C
> HWdhdGVzdGFnZTAzLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNC53ZWJz
> cnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDUud2Vic3J2cy54ZXJveC5jb22CHWdh
> dGVzdGFnZTA2LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNy53ZWJzcnZz
> Lnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDgud2Vic3J2cy54ZXJveC5jb22CHWdhdGVz
> dGFnZTA5LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UxMC53ZWJzcnZzLnhl
> cm94LmNvbYIeZ2F0ZXdheS10ZXN0LndlYnNydnMueGVyb3guY29tghtnYXRld2F5
> MDEud2Vic3J2cy54ZXJveC5jb22CG2dhdGV3YXkwMi53ZWJzcnZzLnhlcm94LmNv
> bYIbZ2F0ZXdheTAzLndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDQud2Vic3J2
> cy54ZXJveC5jb22CG2dhdGV3YXkwNS53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdh
> eTA2LndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDcud2Vic3J2cy54ZXJveC5j
> b22CG2dhdGV3YXkwOC53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdheTA5LndlYnNy
> dnMueGVyb3guY29tghtnYXRld2F5MTAud2Vic3J2cy54ZXJveC5jb22CIG1kdC1z
> dGFnZS10ZXN0LnN1cHBvcnQueGVyb3guY29tghttZHQtc3RhZ2Uuc3VwcG9ydC54
> ZXJveC5jb22CGm1kdC10ZXN0LnN1cHBvcnQueGVyb3guY29tghVtZHQuc3VwcG9y
> dC54ZXJveC5jb22CG3JlbXNlcnYwMC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2Vy
> djAxLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MDIuc3VwcG9ydC54ZXJveC5j
> b22CG3JlbXNlcnYwMy5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA0LnN1cHBv
> cnQueGVyb3guY29tghtyZW1zZXJ2MDUuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNl
> cnYwNi5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA3LnN1cHBvcnQueGVyb3gu
> Y29tghtyZW1zZXJ2MDguc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYwOS5zdXBw
> b3J0Lnhlcm94LmNvbYIbcmVtc2VydjEwLnN1cHBvcnQueGVyb3guY29tghtyZW1z
> ZXJ2MTEuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYxMi5zdXBwb3J0Lnhlcm94
> LmNvbYIbcmVtc2VydjEzLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTQuc3Vw
> cG9ydC54ZXJveC5jb22CG3JlbXNlcnYxNS5zdXBwb3J0Lnhlcm94LmNvbYIbcmVt
> c2VydjE2LnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTcuc3VwcG9ydC54ZXJv
> eC5jb22CG3JlbXNlcnYxOC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjE5LnN1
> cHBvcnQueGVyb3guY29tgiBzdXMtc3RhZ2UtdGVzdC5zdXBwb3J0Lnhlcm94LmNv
> bYIbc3VzLXN0YWdlLnN1cHBvcnQueGVyb3guY29tghpzdXMtdGVzdC5zdXBwb3J0
> Lnhlcm94LmNvbYIVc3VzLnN1cHBvcnQueGVyb3guY29tght3d3cucGF3cy5leHRl
> cm5hbC54ZXJveC5jb22CEnd3dy5wYXdzLnhlcm94LmNvbTANBgkqhkiG9w0BAQUF
> AAOCAQEAqm/9jwwwtyzUdPlVIDiLQa6808++cNoA3EOOGJR4FibpY22hmBHrWpY0
> Ls1RUbcDPWn8wLNl/pS820LFdIX7I231+tr9YxMYVx9DdqhrAeBWy8VB+7+LvgOI
> FK5OE93aq+LJhqhK0wJb0a2jIbUtm8klvFR+efr6kHWAone+XoMcPHX00tjwpG/+
> jadBIHCg/bzNq1z5dsBbtmY/AkewIAex276RR2KoVIIUD8ejIlf1wV5Lt7YXPmf6
> /WHnWjHmVQF1wYaqAPhc8X8FGgmZCcCksTIWJmBNMXurHfuljjYPFKfYNFmdE3u7
> FlP+5YmXqVYEYcrt99+I1zhoWsfzIQ==
> -----END CERTIFICATE-----
> subject=/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN=gateway.websrvs.xerox.com
> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
> ---
> Acceptable client certificate CA names
> /C=US/ST=Illinois/L=Chicago/O=BigMachines Inc. /OU=Operations/CN=bigmachines.self.xerox.com
> /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MobilePro-VQ
> /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
> /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
> /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
> /CN=layer7-prod.idns.xerox.com
> /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
> /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
> /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority
> /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
> /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority - G3
> /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy Secure Server CA
> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> /C=US/O=Xerox Corp./CN=Xerox Web Services CA
> /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> /C=US/O=Thawte, Inc./CN=Thawte SSL CA
> /C=US/ST=LOUISIANA/L=HAMMOND/O=BARRISTER GLOBAL SERVICES NETWORK, INC./OU=CLEARVIEW/OU=Terms of use at www.verisign.com/rpa (c)05/CN=PARTNERS.GLOBALSERVNET.COM
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=InstantSSL/CN=xyzzy.xerox.com
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=PremiumSSL Wildcard/CN=*.services.xerox.com
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=InstantSSL/CN=infocareprod.eur.xerox.com
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3
> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not Validated/CN=Symantec Class 1 Individual Subscriber CA - G4
> /C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN=gateway.websrvs.xerox.com
> ---
> SSL handshake has read 11302 bytes and written 567 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID: 5437C7EAED1FB9A47597AB4A3E9E953125EC90075253412053534C4A20202020
>     Session-ID-ctx:
>     Master-Key: E850153DA8C022FFFACA1459CBFF820B98369F907FF5D7409305B1AF75CB2F13966A4B7859989FBB7A9B0B16960E809C
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1412941720
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> closed
> -- 
> Registered Linux User # 379282
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141010/63ff9cb1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141010/63ff9cb1/attachment.bin>


More information about the Snort-sigs mailing list