[Snort-sigs] SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound

Jamie Riden jamie.riden at ...2420...
Mon Oct 13 14:12:49 EDT 2014


[Sorry, hit Send too early last time, as the page was still loading
when I clicked on the text area]

"Some-State" is the default answer for openssl certs, and hence is
likely to cause FPs. For example:

Country Name (2 letter code) [AU]: GB
State or Province Name (full name) [Some-State]: Yorks
Locality Name (eg, city) []: York
Organization Name (eg, company) [Internet Widgits Pty Ltd]: MyCompany Ltd
Organizational Unit Name (eg, section) []: IT
Common Name (eg, YOUR name) []: mysubdomain.mydomain.com
Email Address []:

It is slightly worrying that it is in the list of acceptable client CA
names... from original post:

Acceptable client certificate CA names
..
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MobilePro-VQ

cheers,
 Jamie

On 13 October 2014 19:00, Joel Esler (jesler) <jesler at ...3865...> wrote:
> This rule has been deleted Joe.
>
> We’ll be revisiting this.
>
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
> On Oct 13, 2014, at 1:52 PM, Joe Gedeon <joe.gedeon at ...2420...> wrote:
>
> Joel,
>
> Has there been any update for this?  It looks to be triggering for any newer
> self signed cert along with the xerox site mentioned.
>
> On Fri, Oct 10, 2014 at 9:02 AM, Joel Esler (jesler) <jesler at ...3865...>
> wrote:
>>
>> Thanks joe.  We'll have a look.
>>
>> --
>> Joel Esler
>> iPhone
>>
>> On Oct 10, 2014, at 08:52, Joe Gedeon <joe.gedeon at ...2420...> wrote:
>>
>> We are getting a number of hits for this with Xerox printers connecting
>> out to "layer7-prod.idns.xerox.com".  Looking at the reference URL in the
>> signature we are trying to figure out if there is a match here.  The cert
>> does match what the signature is looking for, but the reference url does not
>> mention anything about ssl connections or certs.  Could there be another
>> reference url that was used to write this rule?
>>
>> Line 88 of the cert paste is the matching line that rule is triggering
>> one.  No other IOC's have been seen that match the reference url.
>>
>> Rule:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST
>> Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established;
>> content:"|55 04 08|"; content:"|0A|Some-State1!0"; within:14; distance:1;
>> metadata:policy balanced-ips drop, policy security-ips drop, service ssl;
>> reference:url,www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/;
>> classtype:trojan-activity; sid:32124; rev:1;)
>>
>>
>> Cert:
>> openssl s_client -connect 13.13.56.126:443
>> CONNECTED(00000003)
>> depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
>> AddTrust External CA Root
>> verify error:num=19:self signed certificate in certificate chain
>> verify return:0
>> ---
>> Certificate chain
>>  0 s:/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
>> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
>> Corporation E-PKI Manager/OU=Unified
>> Communications/CN=gateway.websrvs.xerox.com
>>    i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
>> High-Assurance Secure Server CA
>>  1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
>> High-Assurance Secure Server CA
>>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
>> External CA Root
>>  2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
>> External CA Root
>>    i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
>> External CA Root
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIMEjCCCvqgAwIBAgIQUkZPlDqIksH99dsBjAAKqDANBgkqhkiG9w0BAQUFADCB
>> iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
>> A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
>> BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTE0
>> MDUwOTAwMDAwMFoXDTE1MDUwOTIzNTk1OVowggEXMQswCQYDVQQGEwJVUzEOMAwG
>> A1UEERMFMDY4NTAxFDASBgNVBAgTC0Nvbm5lY3RpY3V0MRAwDgYDVQQHEwdOb3J3
>> YWxrMRkwFwYDVQQJExA0NSBHbG92ZXIgQXZlbnVlMRowGAYDVQQKExFYZXJveCBD
>> b3Jwb3JhdGlvbjEbMBkGA1UECxMSV29ybGQgSGVhZHF1YXJ0ZXJzMTcwNQYDVQQL
>> Ey5Jc3N1ZWQgdGhyb3VnaCBYZXJveCBDb3Jwb3JhdGlvbiBFLVBLSSBNYW5hZ2Vy
>> MR8wHQYDVQQLExZVbmlmaWVkIENvbW11bmljYXRpb25zMSIwIAYDVQQDExlnYXRl
>> d2F5LndlYnNydnMueGVyb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
>> CgKCAQEA55X7kBDiOXYuZzoUGiWUv6MLdWDQv1jUPjh+9nP1EEPcmaiTviZGzDjR
>> sSBcaZ7s/dAHpuaGk6cYq/yj4T0x65ctfaxXawTXeAtb+5c89vzur2K8hLdl14Xc
>> bjxVHWD0eybuNPdyGuOGURaGuuA0IWSQlWI7eGvMqZyE6Jks76DMXsZ/VAg/ewtZ
>> AqYLnFVXB8kxCY7xaChun65xDEzVrpV87zJgHX+TTupal0rhIsS1/2dxj6qFVLrV
>> xal5Ba9OKKzCX4EZNlD1IYctjcXZyf1oOXPbdLWJLRsuKTAZ+pViLLINF6Wcs8zv
>> 4BbwKiviO3aTVyR/QJ5Z5Oq2JHi7BwIDAQABo4IH4zCCB98wHwYDVR0jBBgwFoAU
>> P9W10NZEeVBKF6ObjErcuLAiZGswHQYDVR0OBBYEFJBATBPDLWyHubszz5WAS7YC
>> 8/NwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
>> AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG
>> CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
>> AgIwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
>> T0RPSGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcmwwgYAGCCsGAQUFBwEB
>> BHQwcjBKBggrBgEFBQcwAoY+aHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RP
>> SGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0
>> dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTCCBjgGA1UdEQSCBi8wggYrghlnYXRld2F5
>> LndlYnNydnMueGVyb3guY29tgiBnYXRlc3RhZ2UtdGVzdC53ZWJzcnZzLnhlcm94
>> LmNvbYIbZ2F0ZXN0YWdlLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwMS53
>> ZWJzcnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDIud2Vic3J2cy54ZXJveC5jb22C
>> HWdhdGVzdGFnZTAzLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNC53ZWJz
>> cnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDUud2Vic3J2cy54ZXJveC5jb22CHWdh
>> dGVzdGFnZTA2LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNy53ZWJzcnZz
>> Lnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDgud2Vic3J2cy54ZXJveC5jb22CHWdhdGVz
>> dGFnZTA5LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UxMC53ZWJzcnZzLnhl
>> cm94LmNvbYIeZ2F0ZXdheS10ZXN0LndlYnNydnMueGVyb3guY29tghtnYXRld2F5
>> MDEud2Vic3J2cy54ZXJveC5jb22CG2dhdGV3YXkwMi53ZWJzcnZzLnhlcm94LmNv
>> bYIbZ2F0ZXdheTAzLndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDQud2Vic3J2
>> cy54ZXJveC5jb22CG2dhdGV3YXkwNS53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdh
>> eTA2LndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDcud2Vic3J2cy54ZXJveC5j
>> b22CG2dhdGV3YXkwOC53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdheTA5LndlYnNy
>> dnMueGVyb3guY29tghtnYXRld2F5MTAud2Vic3J2cy54ZXJveC5jb22CIG1kdC1z
>> dGFnZS10ZXN0LnN1cHBvcnQueGVyb3guY29tghttZHQtc3RhZ2Uuc3VwcG9ydC54
>> ZXJveC5jb22CGm1kdC10ZXN0LnN1cHBvcnQueGVyb3guY29tghVtZHQuc3VwcG9y
>> dC54ZXJveC5jb22CG3JlbXNlcnYwMC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2Vy
>> djAxLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MDIuc3VwcG9ydC54ZXJveC5j
>> b22CG3JlbXNlcnYwMy5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA0LnN1cHBv
>> cnQueGVyb3guY29tghtyZW1zZXJ2MDUuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNl
>> cnYwNi5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA3LnN1cHBvcnQueGVyb3gu
>> Y29tghtyZW1zZXJ2MDguc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYwOS5zdXBw
>> b3J0Lnhlcm94LmNvbYIbcmVtc2VydjEwLnN1cHBvcnQueGVyb3guY29tghtyZW1z
>> ZXJ2MTEuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYxMi5zdXBwb3J0Lnhlcm94
>> LmNvbYIbcmVtc2VydjEzLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTQuc3Vw
>> cG9ydC54ZXJveC5jb22CG3JlbXNlcnYxNS5zdXBwb3J0Lnhlcm94LmNvbYIbcmVt
>> c2VydjE2LnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTcuc3VwcG9ydC54ZXJv
>> eC5jb22CG3JlbXNlcnYxOC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjE5LnN1
>> cHBvcnQueGVyb3guY29tgiBzdXMtc3RhZ2UtdGVzdC5zdXBwb3J0Lnhlcm94LmNv
>> bYIbc3VzLXN0YWdlLnN1cHBvcnQueGVyb3guY29tghpzdXMtdGVzdC5zdXBwb3J0
>> Lnhlcm94LmNvbYIVc3VzLnN1cHBvcnQueGVyb3guY29tght3d3cucGF3cy5leHRl
>> cm5hbC54ZXJveC5jb22CEnd3dy5wYXdzLnhlcm94LmNvbTANBgkqhkiG9w0BAQUF
>> AAOCAQEAqm/9jwwwtyzUdPlVIDiLQa6808++cNoA3EOOGJR4FibpY22hmBHrWpY0
>> Ls1RUbcDPWn8wLNl/pS820LFdIX7I231+tr9YxMYVx9DdqhrAeBWy8VB+7+LvgOI
>> FK5OE93aq+LJhqhK0wJb0a2jIbUtm8klvFR+efr6kHWAone+XoMcPHX00tjwpG/+
>> jadBIHCg/bzNq1z5dsBbtmY/AkewIAex276RR2KoVIIUD8ejIlf1wV5Lt7YXPmf6
>> /WHnWjHmVQF1wYaqAPhc8X8FGgmZCcCksTIWJmBNMXurHfuljjYPFKfYNFmdE3u7
>> FlP+5YmXqVYEYcrt99+I1zhoWsfzIQ==
>> -----END CERTIFICATE-----
>> subject=/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
>> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
>> Corporation E-PKI Manager/OU=Unified
>> Communications/CN=gateway.websrvs.xerox.com
>> issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
>> High-Assurance Secure Server CA
>> ---
>> Acceptable client certificate CA names
>> /C=US/ST=Illinois/L=Chicago/O=BigMachines Inc.
>> /OU=Operations/CN=bigmachines.self.xerox.com
>> /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MobilePro-VQ
>> /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
>> /C=US/O=GeoTrust, Inc./CN=RapidSSL CA
>> /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
>> /CN=layer7-prod.idns.xerox.com
>> /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
>> /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
>> /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
>> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
>> Authority (2048)
>> /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com,
>> Inc./OU=http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate
>> Authority - G2
>> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign,
>> Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary
>> Certification Authority - G5
>> /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
>> liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
>> Certification Authority
>> /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
>> reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
>> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
>> High-Assurance Secure Server CA
>> /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
>> Authority
>> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign,
>> Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary
>> Certification Authority - G3
>> /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy
>> Secure Server CA
>> /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
>> CA Root
>> /C=US/O=Xerox Corp./CN=Xerox Web Services CA
>> /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006
>> thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
>> /C=US/O=Thawte, Inc./CN=Thawte SSL CA
>> /C=US/ST=LOUISIANA/L=HAMMOND/O=BARRISTER GLOBAL SERVICES NETWORK,
>> INC./OU=CLEARVIEW/OU=Terms of use at www.verisign.com/rpa
>> (c)05/CN=PARTNERS.GLOBALSERVNET.COM
>> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
>> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
>> Corporation E-PKI Manager/OU=InstantSSL/CN=xyzzy.xerox.com
>> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
>> Certification Authority
>> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
>> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
>> Corporation E-PKI Manager/OU=PremiumSSL Wildcard/CN=*.services.xerox.com
>> /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
>> Organization Validation Secure Server CA
>> /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
>> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
>> Corporation E-PKI Manager/OU=InstantSSL/CN=infocareprod.eur.xerox.com
>> /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
>> https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server
>> CA - G3
>> /C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not
>> Validated/CN=Symantec Class 1 Individual Subscriber CA - G4
>> /C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
>> Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
>> Corporation E-PKI Manager/OU=Unified
>> Communications/CN=gateway.websrvs.xerox.com
>> ---
>> SSL handshake has read 11302 bytes and written 567 bytes
>> ---
>> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
>> Server public key is 2048 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> SSL-Session:
>>     Protocol  : TLSv1.1
>>     Cipher    : DHE-RSA-AES256-SHA
>>     Session-ID:
>> 5437C7EAED1FB9A47597AB4A3E9E953125EC90075253412053534C4A20202020
>>     Session-ID-ctx:
>>     Master-Key:
>> E850153DA8C022FFFACA1459CBFF820B98369F907FF5D7409305B1AF75CB2F13966A4B7859989FBB7A9B0B16960E809C
>>     Key-Arg   : None
>>     PSK identity: None
>>     PSK identity hint: None
>>     SRP username: None
>>     Start Time: 1412941720
>>     Timeout   : 300 (sec)
>>     Verify return code: 19 (self signed certificate in certificate chain)
>> ---
>> closed
>> --
>> Registered Linux User # 379282
>>
>>
>> ------------------------------------------------------------------------------
>> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
>> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
>> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
>> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>>
>> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
>>
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>>
>>
>> Please visit http://blog.snort.org for the latest news about Snort!
>
>
>
>
> --
> Registered Linux User # 379282
>
>
>
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Jamie Riden / jamie at ...3509... / jamie.riden at ...2420...
http://uk.linkedin.com/in/jamieriden




More information about the Snort-sigs mailing list