[Snort-sigs] SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound

Joe Gedeon joe.gedeon at ...2420...
Mon Oct 13 13:52:12 EDT 2014


Joel,

Has there been any update for this?  It looks to be triggering for any
newer self signed cert along with the xerox site mentioned.

On Fri, Oct 10, 2014 at 9:02 AM, Joel Esler (jesler) <jesler at ...3865...>
wrote:

> Thanks joe.  We'll have a look.
>
> --
> Joel Esler
> iPhone
>
> On Oct 10, 2014, at 08:52, Joe Gedeon <joe.gedeon at ...2420...> wrote:
>
> We are getting a number of hits for this with Xerox printers connecting
> out to "layer7-prod.idns.xerox.com".  Looking at the reference URL in the
> signature we are trying to figure out if there is a match here.  The cert
> does match what the signature is looking for, but the reference url does
> not mention anything about ssl connections or certs.  Could there be
> another reference url that was used to write this rule?
>
> Line 88 of the cert paste is the matching line that rule is triggering
> one.  No other IOC's have been seen that match the reference url.
>
> Rule:
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST
> Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established;
> content:"|55 04 08|"; content:"|0A|Some-State1!0"; within:14; distance:1;
> metadata:policy balanced-ips drop, policy security-ips drop, service ssl;
> reference:url,
> www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/;
> classtype:trojan-activity; sid:32124; rev:1;)
>
>
> Cert:
> openssl s_client -connect 13.13.56.126:443
> CONNECTED(00000003)
> depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
> AddTrust External CA Root
> verify error:num=19:self signed certificate in certificate chain
> verify return:0
> ---
> Certificate chain
>  0 s:/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=Unified Communications/CN=
> gateway.websrvs.xerox.com
>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> High-Assurance Secure Server CA
>  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> High-Assurance Secure Server CA
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
>  2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
> External CA Root
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIMEjCCCvqgAwIBAgIQUkZPlDqIksH99dsBjAAKqDANBgkqhkiG9w0BAQUFADCB
> iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
> A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
> BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTE0
> MDUwOTAwMDAwMFoXDTE1MDUwOTIzNTk1OVowggEXMQswCQYDVQQGEwJVUzEOMAwG
> A1UEERMFMDY4NTAxFDASBgNVBAgTC0Nvbm5lY3RpY3V0MRAwDgYDVQQHEwdOb3J3
> YWxrMRkwFwYDVQQJExA0NSBHbG92ZXIgQXZlbnVlMRowGAYDVQQKExFYZXJveCBD
> b3Jwb3JhdGlvbjEbMBkGA1UECxMSV29ybGQgSGVhZHF1YXJ0ZXJzMTcwNQYDVQQL
> Ey5Jc3N1ZWQgdGhyb3VnaCBYZXJveCBDb3Jwb3JhdGlvbiBFLVBLSSBNYW5hZ2Vy
> MR8wHQYDVQQLExZVbmlmaWVkIENvbW11bmljYXRpb25zMSIwIAYDVQQDExlnYXRl
> d2F5LndlYnNydnMueGVyb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
> CgKCAQEA55X7kBDiOXYuZzoUGiWUv6MLdWDQv1jUPjh+9nP1EEPcmaiTviZGzDjR
> sSBcaZ7s/dAHpuaGk6cYq/yj4T0x65ctfaxXawTXeAtb+5c89vzur2K8hLdl14Xc
> bjxVHWD0eybuNPdyGuOGURaGuuA0IWSQlWI7eGvMqZyE6Jks76DMXsZ/VAg/ewtZ
> AqYLnFVXB8kxCY7xaChun65xDEzVrpV87zJgHX+TTupal0rhIsS1/2dxj6qFVLrV
> xal5Ba9OKKzCX4EZNlD1IYctjcXZyf1oOXPbdLWJLRsuKTAZ+pViLLINF6Wcs8zv
> 4BbwKiviO3aTVyR/QJ5Z5Oq2JHi7BwIDAQABo4IH4zCCB98wHwYDVR0jBBgwFoAU
> P9W10NZEeVBKF6ObjErcuLAiZGswHQYDVR0OBBYEFJBATBPDLWyHubszz5WAS7YC
> 8/NwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
> AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG
> CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
> AgIwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
> T0RPSGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcmwwgYAGCCsGAQUFBwEB
> BHQwcjBKBggrBgEFBQcwAoY+aHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RP
> SGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0
> dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTCCBjgGA1UdEQSCBi8wggYrghlnYXRld2F5
> LndlYnNydnMueGVyb3guY29tgiBnYXRlc3RhZ2UtdGVzdC53ZWJzcnZzLnhlcm94
> LmNvbYIbZ2F0ZXN0YWdlLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwMS53
> ZWJzcnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDIud2Vic3J2cy54ZXJveC5jb22C
> HWdhdGVzdGFnZTAzLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNC53ZWJz
> cnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDUud2Vic3J2cy54ZXJveC5jb22CHWdh
> dGVzdGFnZTA2LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNy53ZWJzcnZz
> Lnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDgud2Vic3J2cy54ZXJveC5jb22CHWdhdGVz
> dGFnZTA5LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UxMC53ZWJzcnZzLnhl
> cm94LmNvbYIeZ2F0ZXdheS10ZXN0LndlYnNydnMueGVyb3guY29tghtnYXRld2F5
> MDEud2Vic3J2cy54ZXJveC5jb22CG2dhdGV3YXkwMi53ZWJzcnZzLnhlcm94LmNv
> bYIbZ2F0ZXdheTAzLndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDQud2Vic3J2
> cy54ZXJveC5jb22CG2dhdGV3YXkwNS53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdh
> eTA2LndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDcud2Vic3J2cy54ZXJveC5j
> b22CG2dhdGV3YXkwOC53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdheTA5LndlYnNy
> dnMueGVyb3guY29tghtnYXRld2F5MTAud2Vic3J2cy54ZXJveC5jb22CIG1kdC1z
> dGFnZS10ZXN0LnN1cHBvcnQueGVyb3guY29tghttZHQtc3RhZ2Uuc3VwcG9ydC54
> ZXJveC5jb22CGm1kdC10ZXN0LnN1cHBvcnQueGVyb3guY29tghVtZHQuc3VwcG9y
> dC54ZXJveC5jb22CG3JlbXNlcnYwMC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2Vy
> djAxLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MDIuc3VwcG9ydC54ZXJveC5j
> b22CG3JlbXNlcnYwMy5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA0LnN1cHBv
> cnQueGVyb3guY29tghtyZW1zZXJ2MDUuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNl
> cnYwNi5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA3LnN1cHBvcnQueGVyb3gu
> Y29tghtyZW1zZXJ2MDguc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYwOS5zdXBw
> b3J0Lnhlcm94LmNvbYIbcmVtc2VydjEwLnN1cHBvcnQueGVyb3guY29tghtyZW1z
> ZXJ2MTEuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYxMi5zdXBwb3J0Lnhlcm94
> LmNvbYIbcmVtc2VydjEzLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTQuc3Vw
> cG9ydC54ZXJveC5jb22CG3JlbXNlcnYxNS5zdXBwb3J0Lnhlcm94LmNvbYIbcmVt
> c2VydjE2LnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTcuc3VwcG9ydC54ZXJv
> eC5jb22CG3JlbXNlcnYxOC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjE5LnN1
> cHBvcnQueGVyb3guY29tgiBzdXMtc3RhZ2UtdGVzdC5zdXBwb3J0Lnhlcm94LmNv
> bYIbc3VzLXN0YWdlLnN1cHBvcnQueGVyb3guY29tghpzdXMtdGVzdC5zdXBwb3J0
> Lnhlcm94LmNvbYIVc3VzLnN1cHBvcnQueGVyb3guY29tght3d3cucGF3cy5leHRl
> cm5hbC54ZXJveC5jb22CEnd3dy5wYXdzLnhlcm94LmNvbTANBgkqhkiG9w0BAQUF
> AAOCAQEAqm/9jwwwtyzUdPlVIDiLQa6808++cNoA3EOOGJR4FibpY22hmBHrWpY0
> Ls1RUbcDPWn8wLNl/pS820LFdIX7I231+tr9YxMYVx9DdqhrAeBWy8VB+7+LvgOI
> FK5OE93aq+LJhqhK0wJb0a2jIbUtm8klvFR+efr6kHWAone+XoMcPHX00tjwpG/+
> jadBIHCg/bzNq1z5dsBbtmY/AkewIAex276RR2KoVIIUD8ejIlf1wV5Lt7YXPmf6
> /WHnWjHmVQF1wYaqAPhc8X8FGgmZCcCksTIWJmBNMXurHfuljjYPFKfYNFmdE3u7
> FlP+5YmXqVYEYcrt99+I1zhoWsfzIQ==
> -----END CERTIFICATE-----
> subject=/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=Unified Communications/CN=
> gateway.websrvs.xerox.com
> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> High-Assurance Secure Server CA
> ---
> Acceptable client certificate CA names
> /C=US/ST=Illinois/L=Chicago/O=BigMachines Inc. /OU=Operations/CN=
> bigmachines.self.xerox.com
> /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MobilePro-VQ
> /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
> /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
> /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
> /CN=layer7-prod.idns.xerox.com
> /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
> /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
> /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
> Authority (2048)
> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=
> http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate
> Authority - G2
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
> Certification Authority - G5
> /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
> Certification Authority
> /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
> High-Assurance Secure Server CA
> /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
> Authority
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign,
> Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary
> Certification Authority - G3
> /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy
> Secure Server CA
> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
> CA Root
> /C=US/O=Xerox Corp./CN=Xerox Web Services CA
> /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
> /C=US/O=Thawte, Inc./CN=Thawte SSL CA
> /C=US/ST=LOUISIANA/L=HAMMOND/O=BARRISTER GLOBAL SERVICES NETWORK,
> INC./OU=CLEARVIEW/OU=Terms of use at www.verisign.com/rpa (c)05/CN=
> PARTNERS.GLOBALSERVNET.COM
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=InstantSSL/CN=xyzzy.xerox.com
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
> Certification Authority
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=PremiumSSL Wildcard/CN=*.services.xerox.com
> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
> Organization Validation Secure Server CA
> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=InstantSSL/CN=infocareprod.eur.xerox.com
> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International
> Server CA - G3
> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not
> Validated/CN=Symantec Class 1 Individual Subscriber CA - G4
> /C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
> Corporation E-PKI Manager/OU=Unified Communications/CN=
> gateway.websrvs.xerox.com
> ---
> SSL handshake has read 11302 bytes and written 567 bytes
> ---
> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
> Server public key is 2048 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> SSL-Session:
>     Protocol  : TLSv1.1
>     Cipher    : DHE-RSA-AES256-SHA
>     Session-ID:
> 5437C7EAED1FB9A47597AB4A3E9E953125EC90075253412053534C4A20202020
>     Session-ID-ctx:
>     Master-Key:
> E850153DA8C022FFFACA1459CBFF820B98369F907FF5D7409305B1AF75CB2F13966A4B7859989FBB7A9B0B16960E809C
>     Key-Arg   : None
>     PSK identity: None
>     PSK identity hint: None
>     SRP username: None
>     Start Time: 1412941720
>     Timeout   : 300 (sec)
>     Verify return code: 19 (self signed certificate in certificate chain)
> ---
> closed
> --
> Registered Linux User # 379282
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
>


-- 
Registered Linux User # 379282
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141013/9d62887d/attachment.html>


More information about the Snort-sigs mailing list