[Snort-sigs] SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound

Joel Esler (jesler) jesler at ...3865...
Mon Oct 13 14:00:50 EDT 2014


This rule has been deleted Joe.

We’ll be revisiting this.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> On Oct 13, 2014, at 1:52 PM, Joe Gedeon <joe.gedeon at ...2420...> wrote:
> 
> Joel,
> 
> Has there been any update for this?  It looks to be triggering for any newer self signed cert along with the xerox site mentioned.
> 
> On Fri, Oct 10, 2014 at 9:02 AM, Joel Esler (jesler) <jesler at ...3865... <mailto:jesler at ...3865...>> wrote:
> Thanks joe.  We'll have a look. 
> 
> --
> Joel Esler
> iPhone
> 
> On Oct 10, 2014, at 08:52, Joe Gedeon <joe.gedeon at ...2420... <mailto:joe.gedeon at ...2420...>> wrote:
> 
>> We are getting a number of hits for this with Xerox printers connecting out to "layer7-prod.idns.xerox.com".  Looking at the reference URL in the signature we are trying to figure out if there is a match here.  The cert does match what the signature is looking for, but the reference url does not mention anything about ssl connections or certs.  Could there be another reference url that was used to write this rule?   
>> 
>> Line 88 of the cert paste is the matching line that rule is triggering one.  No other IOC's have been seen that match the reference url.
>> 
>> Rule:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 08|"; content:"|0A|Some-State1!0"; within:14; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url,www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/ <http://www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/>; classtype:trojan-activity; sid:32124; rev:1;)
>> 
>> 
>> Cert:
>> openssl s_client -connect 13.13.56.126:443 <http://13.13.56.126:443/>
>> CONNECTED(00000003)
>> depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:0
>> ---
>> Certificate chain
>>  0 s:/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN=gateway.websrvs.xerox.com <http://gateway.websrvs.xerox.com/>
>>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
>>  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
>>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
>>  2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
>>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIMEjCCCvqgAwIBAgIQUkZPlDqIksH99dsBjAAKqDANBgkqhkiG9w0BAQUFADCB
>> iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
>> A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
>> BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTE0
>> MDUwOTAwMDAwMFoXDTE1MDUwOTIzNTk1OVowggEXMQswCQYDVQQGEwJVUzEOMAwG
>> A1UEERMFMDY4NTAxFDASBgNVBAgTC0Nvbm5lY3RpY3V0MRAwDgYDVQQHEwdOb3J3
>> YWxrMRkwFwYDVQQJExA0NSBHbG92ZXIgQXZlbnVlMRowGAYDVQQKExFYZXJveCBD
>> b3Jwb3JhdGlvbjEbMBkGA1UECxMSV29ybGQgSGVhZHF1YXJ0ZXJzMTcwNQYDVQQL
>> Ey5Jc3N1ZWQgdGhyb3VnaCBYZXJveCBDb3Jwb3JhdGlvbiBFLVBLSSBNYW5hZ2Vy
>> MR8wHQYDVQQLExZVbmlmaWVkIENvbW11bmljYXRpb25zMSIwIAYDVQQDExlnYXRl
>> d2F5LndlYnNydnMueGVyb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
>> CgKCAQEA55X7kBDiOXYuZzoUGiWUv6MLdWDQv1jUPjh+9nP1EEPcmaiTviZGzDjR
>> sSBcaZ7s/dAHpuaGk6cYq/yj4T0x65ctfaxXawTXeAtb+5c89vzur2K8hLdl14Xc
>> bjxVHWD0eybuNPdyGuOGURaGuuA0IWSQlWI7eGvMqZyE6Jks76DMXsZ/VAg/ewtZ
>> AqYLnFVXB8kxCY7xaChun65xDEzVrpV87zJgHX+TTupal0rhIsS1/2dxj6qFVLrV
>> xal5Ba9OKKzCX4EZNlD1IYctjcXZyf1oOXPbdLWJLRsuKTAZ+pViLLINF6Wcs8zv
>> 4BbwKiviO3aTVyR/QJ5Z5Oq2JHi7BwIDAQABo4IH4zCCB98wHwYDVR0jBBgwFoAU
>> P9W10NZEeVBKF6ObjErcuLAiZGswHQYDVR0OBBYEFJBATBPDLWyHubszz5WAS7YC
>> 8/NwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
>> AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG
>> CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
>> AgIwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
>> T0RPSGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcmwwgYAGCCsGAQUFBwEB
>> BHQwcjBKBggrBgEFBQcwAoY+aHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RP
>> SGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0
>> dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTCCBjgGA1UdEQSCBi8wggYrghlnYXRld2F5
>> LndlYnNydnMueGVyb3guY29tgiBnYXRlc3RhZ2UtdGVzdC53ZWJzcnZzLnhlcm94
>> LmNvbYIbZ2F0ZXN0YWdlLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwMS53
>> ZWJzcnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDIud2Vic3J2cy54ZXJveC5jb22C
>> HWdhdGVzdGFnZTAzLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNC53ZWJz
>> cnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDUud2Vic3J2cy54ZXJveC5jb22CHWdh
>> dGVzdGFnZTA2LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNy53ZWJzcnZz
>> Lnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDgud2Vic3J2cy54ZXJveC5jb22CHWdhdGVz
>> dGFnZTA5LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UxMC53ZWJzcnZzLnhl
>> cm94LmNvbYIeZ2F0ZXdheS10ZXN0LndlYnNydnMueGVyb3guY29tghtnYXRld2F5
>> MDEud2Vic3J2cy54ZXJveC5jb22CG2dhdGV3YXkwMi53ZWJzcnZzLnhlcm94LmNv
>> bYIbZ2F0ZXdheTAzLndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDQud2Vic3J2
>> cy54ZXJveC5jb22CG2dhdGV3YXkwNS53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdh
>> eTA2LndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDcud2Vic3J2cy54ZXJveC5j
>> b22CG2dhdGV3YXkwOC53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdheTA5LndlYnNy
>> dnMueGVyb3guY29tghtnYXRld2F5MTAud2Vic3J2cy54ZXJveC5jb22CIG1kdC1z
>> dGFnZS10ZXN0LnN1cHBvcnQueGVyb3guY29tghttZHQtc3RhZ2Uuc3VwcG9ydC54
>> ZXJveC5jb22CGm1kdC10ZXN0LnN1cHBvcnQueGVyb3guY29tghVtZHQuc3VwcG9y
>> dC54ZXJveC5jb22CG3JlbXNlcnYwMC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2Vy
>> djAxLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MDIuc3VwcG9ydC54ZXJveC5j
>> b22CG3JlbXNlcnYwMy5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA0LnN1cHBv
>> cnQueGVyb3guY29tghtyZW1zZXJ2MDUuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNl
>> cnYwNi5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA3LnN1cHBvcnQueGVyb3gu
>> Y29tghtyZW1zZXJ2MDguc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYwOS5zdXBw
>> b3J0Lnhlcm94LmNvbYIbcmVtc2VydjEwLnN1cHBvcnQueGVyb3guY29tghtyZW1z
>> ZXJ2MTEuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYxMi5zdXBwb3J0Lnhlcm94
>> LmNvbYIbcmVtc2VydjEzLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTQuc3Vw
>> cG9ydC54ZXJveC5jb22CG3JlbXNlcnYxNS5zdXBwb3J0Lnhlcm94LmNvbYIbcmVt
>> c2VydjE2LnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTcuc3VwcG9ydC54ZXJv
>> eC5jb22CG3JlbXNlcnYxOC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjE5LnN1
>> cHBvcnQueGVyb3guY29tgiBzdXMtc3RhZ2UtdGVzdC5zdXBwb3J0Lnhlcm94LmNv
>> bYIbc3VzLXN0YWdlLnN1cHBvcnQueGVyb3guY29tghpzdXMtdGVzdC5zdXBwb3J0
>> Lnhlcm94LmNvbYIVc3VzLnN1cHBvcnQueGVyb3guY29tght3d3cucGF3cy5leHRl
>> cm5hbC54ZXJveC5jb22CEnd3dy5wYXdzLnhlcm94LmNvbTANBgkqhkiG9w0BAQUF
>> AAOCAQEAqm/9jwwwtyzUdPlVIDiLQa6808++cNoA3EOOGJR4FibpY22hmBHrWpY0
>> Ls1RUbcDPWn8wLNl/pS820LFdIX7I231+tr9YxMYVx9DdqhrAeBWy8VB+7+LvgOI
>> FK5OE93aq+LJhqhK0wJb0a2jIbUtm8klvFR+efr6kHWAone+XoMcPHX00tjwpG/+
>> jadBIHCg/bzNq1z5dsBbtmY/AkewIAex276RR2KoVIIUD8ejIlf1wV5Lt7YXPmf6
>> /WHnWjHmVQF1wYaqAPhc8X8FGgmZCcCksTIWJmBNMXurHfuljjYPFKfYNFmdE3u7
>> FlP+5YmXqVYEYcrt99+I1zhoWsfzIQ==
>> -----END CERTIFICATE-----
>> subject=/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN=gateway.websrvs.xerox.com <http://gateway.websrvs.xerox.com/>
>> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
>> ---
>> Acceptable client certificate CA names
>> /C=US/ST=Illinois/L=Chicago/O=BigMachines Inc. /OU=Operations/CN=bigmachines.self.xerox.com <http://bigmachines.self.xerox.com/>
>> /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MobilePro-VQ
>> /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert <http://www.digicert.com/CN=DigiCert> Global Root CA
>> /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
>> /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
>> /CN=layer7-prod.idns.xerox.com <http://layer7-prod.idns.xerox.com/>
>> /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>> /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
>> /O=Entrust.net/OU= <http://entrust.net/OU=>www.entrust.net/CPS_2048 <http://www.entrust.net/CPS_2048> incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net <http://entrust.net/>Limited/CN=Entrust.net <http://entrust.net/> Certification Authority (2048)
>> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com <http://godaddy.com/>, Inc./OU=http://certs.godaddy.com/repository//CN=Go <http://certs.godaddy.com/repository//CN=Go> Daddy Secure Certificate Authority - G2
>> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5
>> /C=US/O=Entrust.net/OU= <http://entrust.net/OU=>www.entrust.net/CPS <http://www.entrust.net/CPS> incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net <http://entrust.net/>Limited/CN=Entrust.net <http://entrust.net/> Secure Server Certification Authority
>> /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa <http://www.entrust.net/rpa> is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA
>> /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
>> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority - G3
>> /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy Secure Server CA
>> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
>> /C=US/O=Xerox Corp./CN=Xerox Web Services CA
>> /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
>> /C=US/O=Thawte, Inc./CN=Thawte SSL CA
>> /C=US/ST=LOUISIANA/L=HAMMOND/O=BARRISTER GLOBAL SERVICES NETWORK, INC./OU=CLEARVIEW/OU=Terms of use at www.verisign.com/rpa <http://www.verisign.com/rpa> (c)05/CN=PARTNERS.GLOBALSERVNET.COM <http://partners.globalservnet.com/>
>> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=InstantSSL/CN=xyzzy.xerox.com <http://xyzzy.xerox.com/>
>> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
>> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=PremiumSSL Wildcard/CN=*.services.xerox.com <http://services.xerox.com/>
>> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA
>> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=InstantSSL/CN=infocareprod.eur.xerox.com <http://infocareprod.eur.xerox.com/>
>> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa <https://www.verisign.com/rpa> (c)10/CN=VeriSign Class 3 International Server CA - G3
>> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not Validated/CN=Symantec Class 1 Individual Subscriber CA - G4
>> /C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN=gateway.websrvs.xerox.com <http://gateway.websrvs.xerox.com/>
>> ---
>> SSL handshake has read 11302 bytes and written 567 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1.1
>>     Cipher    : DHE-RSA-AES256-SHA
>>     Session-ID: 5437C7EAED1FB9A47597AB4A3E9E953125EC90075253412053534C4A20202020
>>     Session-ID-ctx:
>>     Master-Key: E850153DA8C022FFFACA1459CBFF820B98369F907FF5D7409305B1AF75CB2F13966A4B7859989FBB7A9B0B16960E809C
>>     Key-Arg   : None
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     Start Time: 1412941720
>>     Timeout   : 300 (sec)
>>     Verify return code: 19 (self signed certificate in certificate chain)
>> ---
>> closed
>> -- 
>> Registered Linux User # 379282
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk <http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk>_______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net <mailto:Snort-sigs at ...3414...t>
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs <https://lists.sourceforge.net/lists/listinfo/snort-sigs>
>> http://www.snort.org <http://www.snort.org/>
>> 
>> 
>> Please visit http://blog.snort.org <http://blog.snort.org/> for the latest news about Snort!
> 
> 
> 
> -- 
> Registered Linux User # 379282

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141013/a9b52bdd/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141013/a9b52bdd/attachment.bin>


More information about the Snort-sigs mailing list