[Snort-sigs] SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound

Joe Gedeon joe.gedeon at ...2420...
Fri Oct 10 09:51:18 EDT 2014


Thanks Joel.

We are now getting further hits for this with normal self signed certs on
various appliances like  Platinum NVR's.

On Fri, Oct 10, 2014 at 9:02 AM, Joel Esler (jesler) <jesler at ...3865...>
wrote:

> Thanks joe.  We'll have a look.
>
> --
> Joel Esler
> iPhone
>
> On Oct 10, 2014, at 08:52, Joe Gedeon <joe.gedeon at ...2420...> wrote:
>
> We are getting a number of hits for this with Xerox printers connecting
> out to "layer7-prod.idns.xerox.com".  Looking at the reference URL in the
> signature we are trying to figure out if there is a match here.  The cert
> does match what the signature is looking for, but the reference url does
> not mention anything about ssl connections or certs.  Could there be
> another reference url that was used to write this rule?
>
> Line 88 of the cert paste is the matching line that rule is triggering
> one.  No other IOC's have been seen that match the reference url.
>
> Rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST
> Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established;
> content:"|55 04 08|"; content:"|0A|Some-State1!0"; within:14; distance:1;
> metadata:policy balanced-ips drop, policy security-ips drop, service ssl;
> reference:url,
> www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/;
> classtype:trojan-activity; sid:32124; rev:1;)
>
>
> Cert:
> openssl s_client -connect 13.13.56.126:443
> CONNECTED(00000003)
> depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
> AddTrust External CA Root
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=Unified Communications/CN=
> gateway.websrvs.xerox.com
>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> High-Assurance Secure Server CA
>  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> High-Assurance Secure Server CA
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
>  2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIMEjCCCvqgAwIBAgIQUkZPlDqIksH99dsBjAAKqDANBgkqhkiG9w0BAQUFADCB
> iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
> A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
> BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTE0
> MDUwOTAwMDAwMFoXDTE1MDUwOTIzNTk1OVowggEXMQswCQYDVQQGEwJVUzEOMAwG
> A1UEERMFMDY4NTAxFDASBgNVBAgTC0Nvbm5lY3RpY3V0MRAwDgYDVQQHEwdOb3J3
> YWxrMRkwFwYDVQQJExA0NSBHbG92ZXIgQXZlbnVlMRowGAYDVQQKExFYZXJveCBD
> b3Jwb3JhdGlvbjEbMBkGA1UECxMSV29ybGQgSGVhZHF1YXJ0ZXJzMTcwNQYDVQQL
> Ey5Jc3N1ZWQgdGhyb3VnaCBYZXJveCBDb3Jwb3JhdGlvbiBFLVBLSSBNYW5hZ2Vy
> MR8wHQYDVQQLExZVbmlmaWVkIENvbW11bmljYXRpb25zMSIwIAYDVQQDExlnYXRl
> d2F5LndlYnNydnMueGVyb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEA55X7kBDiOXYuZzoUGiWUv6MLdWDQv1jUPjh+9nP1EEPcmaiTviZGzDjR
> sSBcaZ7s/dAHpuaGk6cYq/yj4T0x65ctfaxXawTXeAtb+5c89vzur2K8hLdl14Xc
> bjxVHWD0eybuNPdyGuOGURaGuuA0IWSQlWI7eGvMqZyE6Jks76DMXsZ/VAg/ewtZ
> AqYLnFVXB8kxCY7xaChun65xDEzVrpV87zJgHX+TTupal0rhIsS1/2dxj6qFVLrV
> xal5Ba9OKKzCX4EZNlD1IYctjcXZyf1oOXPbdLWJLRsuKTAZ+pViLLINF6Wcs8zv
> 4BbwKiviO3aTVyR/QJ5Z5Oq2JHi7BwIDAQABo4IH4zCCB98wHwYDVR0jBBgwFoAU
> P9W10NZEeVBKF6ObjErcuLAiZGswHQYDVR0OBBYEFJBATBPDLWyHubszz5WAS7YC
> 8/NwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
> AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG
> CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
> AgIwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
> T0RPSGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcmwwgYAGCCsGAQUFBwEB
> BHQwcjBKBggrBgEFBQcwAoY+aHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RP
> SGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0
> dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTCCBjgGA1UdEQSCBi8wggYrghlnYXRld2F5
> LndlYnNydnMueGVyb3guY29tgiBnYXRlc3RhZ2UtdGVzdC53ZWJzcnZzLnhlcm94
> LmNvbYIbZ2F0ZXN0YWdlLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwMS53
> ZWJzcnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDIud2Vic3J2cy54ZXJveC5jb22C
> HWdhdGVzdGFnZTAzLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNC53ZWJz
> cnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDUud2Vic3J2cy54ZXJveC5jb22CHWdh
> dGVzdGFnZTA2LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNy53ZWJzcnZz
> Lnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDgud2Vic3J2cy54ZXJveC5jb22CHWdhdGVz
> dGFnZTA5LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UxMC53ZWJzcnZzLnhl
> cm94LmNvbYIeZ2F0ZXdheS10ZXN0LndlYnNydnMueGVyb3guY29tghtnYXRld2F5
> MDEud2Vic3J2cy54ZXJveC5jb22CG2dhdGV3YXkwMi53ZWJzcnZzLnhlcm94LmNv
> bYIbZ2F0ZXdheTAzLndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDQud2Vic3J2
> cy54ZXJveC5jb22CG2dhdGV3YXkwNS53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdh
> eTA2LndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDcud2Vic3J2cy54ZXJveC5j
> b22CG2dhdGV3YXkwOC53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdheTA5LndlYnNy
> dnMueGVyb3guY29tghtnYXRld2F5MTAud2Vic3J2cy54ZXJveC5jb22CIG1kdC1z
> dGFnZS10ZXN0LnN1cHBvcnQueGVyb3guY29tghttZHQtc3RhZ2Uuc3VwcG9ydC54
> ZXJveC5jb22CGm1kdC10ZXN0LnN1cHBvcnQueGVyb3guY29tghVtZHQuc3VwcG9y
> dC54ZXJveC5jb22CG3JlbXNlcnYwMC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2Vy
> djAxLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MDIuc3VwcG9ydC54ZXJveC5j
> b22CG3JlbXNlcnYwMy5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA0LnN1cHBv
> cnQueGVyb3guY29tghtyZW1zZXJ2MDUuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNl
> cnYwNi5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA3LnN1cHBvcnQueGVyb3gu
> Y29tghtyZW1zZXJ2MDguc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYwOS5zdXBw
> b3J0Lnhlcm94LmNvbYIbcmVtc2VydjEwLnN1cHBvcnQueGVyb3guY29tghtyZW1z
> ZXJ2MTEuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYxMi5zdXBwb3J0Lnhlcm94
> LmNvbYIbcmVtc2VydjEzLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTQuc3Vw
> cG9ydC54ZXJveC5jb22CG3JlbXNlcnYxNS5zdXBwb3J0Lnhlcm94LmNvbYIbcmVt
> c2VydjE2LnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTcuc3VwcG9ydC54ZXJv
> eC5jb22CG3JlbXNlcnYxOC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjE5LnN1
> cHBvcnQueGVyb3guY29tgiBzdXMtc3RhZ2UtdGVzdC5zdXBwb3J0Lnhlcm94LmNv
> bYIbc3VzLXN0YWdlLnN1cHBvcnQueGVyb3guY29tghpzdXMtdGVzdC5zdXBwb3J0
> Lnhlcm94LmNvbYIVc3VzLnN1cHBvcnQueGVyb3guY29tght3d3cucGF3cy5leHRl
> cm5hbC54ZXJveC5jb22CEnd3dy5wYXdzLnhlcm94LmNvbTANBgkqhkiG9w0BAQUF
> AAOCAQEAqm/9jwwwtyzUdPlVIDiLQa6808++cNoA3EOOGJR4FibpY22hmBHrWpY0
> Ls1RUbcDPWn8wLNl/pS820LFdIX7I231+tr9YxMYVx9DdqhrAeBWy8VB+7+LvgOI
> FK5OE93aq+LJhqhK0wJb0a2jIbUtm8klvFR+efr6kHWAone+XoMcPHX00tjwpG/+
> jadBIHCg/bzNq1z5dsBbtmY/AkewIAex276RR2KoVIIUD8ejIlf1wV5Lt7YXPmf6
> /WHnWjHmVQF1wYaqAPhc8X8FGgmZCcCksTIWJmBNMXurHfuljjYPFKfYNFmdE3u7
> FlP+5YmXqVYEYcrt99+I1zhoWsfzIQ==
> -----END CERTIFICATE-----
> subject=/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=Unified Communications/CN=
> gateway.websrvs.xerox.com
> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> High-Assurance Secure Server CA
> ---
> Acceptable client certificate CA names
> /C=US/ST=Illinois/L=Chicago/O=BigMachines Inc. /OU=Operations/CN=
> bigmachines.self.xerox.com
> /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MobilePro-VQ
> /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
> /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
> /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
> /CN=layer7-prod.idns.xerox.com
> /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
> /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
> Authority (2048)
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=
> http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate
> Authority - G2
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
> Certification Authority
> /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> High-Assurance Secure Server CA
> /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
> Authority
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary
> Certification Authority - G3
> /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy
> Secure Server CA
> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
> CA Root
> /C=US/O=Xerox Corp./CN=Xerox Web Services CA
> /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> /C=US/O=Thawte, Inc./CN=Thawte SSL CA
> /C=US/ST=LOUISIANA/L=HAMMOND/O=BARRISTER GLOBAL SERVICES NETWORK,
> INC./OU=CLEARVIEW/OU=Terms of use at www.verisign.com/rpa (c)05/CN=
> PARTNERS.GLOBALSERVNET.COM
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=InstantSSL/CN=xyzzy.xerox.com
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
> Certification Authority
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=PremiumSSL Wildcard/CN=*.services.xerox.com
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
> Organization Validation Secure Server CA
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=InstantSSL/CN=infocareprod.eur.xerox.com
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International
> Server CA - G3
> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not
> Validated/CN=Symantec Class 1 Individual Subscriber CA - G4
> /C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=Unified Communications/CN=
> gateway.websrvs.xerox.com
> ---
> SSL handshake has read 11302 bytes and written 567 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:
> 5437C7EAED1FB9A47597AB4A3E9E953125EC90075253412053534C4A20202020
>     Session-ID-ctx:
>     Master-Key:
> E850153DA8C022FFFACA1459CBFF820B98369F907FF5D7409305B1AF75CB2F13966A4B7859989FBB7A9B0B16960E809C
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1412941720
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> closed
> --
> Registered Linux User # 379282
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>


-- 
Registered Linux User # 379282
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141010/5a0d568b/attachment.html>


More information about the Snort-sigs mailing list