Re: Need help to identify issue on BOTNET-CNC Trojan.Bankpatch.C authentication

[waldo kitty <wkitty42 () windstream net>]

On 11/22/2012 05:31, babu dheen wrote:
> Dear Waldo,
> Thanks for the update. I would surely run the pcap on the destination server and
> get to know what exactly is the http request?

if you have windows, you could use wireshark to look at the pcap manually which 
is what i was intending to say...

> But would like to know what is the impact of this alert or if you can give me
> security advisory of this event, will be helpful to resolve the issue once
> identified.

the advisory is in the rule... i didn't post it so as to give you a chance to 
find it on your system and dig out the info you need/want to know... you recall 
that old saying about teaching a man to fish? ;)

C:\snort>grep -i -E "sid:\W*21416" 2931\rules\*.rules
2931\rules\malware-cnc.rules:# alert tcp $HOME_NET any -> $EXTERNAL_NET 
$HTTP_PORTS (msg:"MALWARE-CNC Trojan.Bankpatch.C authentication string 
detected"; flow:established,to_server; content:"POST"; http_method; 
content:"/index.php"; http_uri; content:"MDAwMDAwMDAwMDAwMDAwMDAwMTA"; 
http_client_body; metadata:policy security-ips drop, service http; 
reference:url,www.threatexpert.com/threats/trojan-bankpatch-c.html; 
classtype:trojan-activity; sid:21416; rev:4;)


> Regards
> Babudheen
>
> *From:* waldo kitty <wkitty42 () windstream net>
> *To:* snort-users () lists sourceforge net
> *Sent:* Wednesday, 21 November 2012 8:28 PM
> *Subject:* Re: [Snort-users] Need help to identify issue on BOTNET-CNC
> Trojan.Bankpatch.C authentication
>
> On 11/21/2012 07:59, babu dheen wrote:
> >  Dear Support,
> >  We have enabled Snort IPS between two unix machine and once enabled, we are
> >  seeing below events continously. We would like to know what does mean by below
> >  event and how can we solve the same.
> >  Name : "BOTNET-CNC Trojan.Bankpatch.C authentication String detected"
> >  Source IP : Solaris Server IP
> >  Destination IP : Solaris Server IP
> >  Destination Port : 80
>
> as far as i can tell, that would be rule 1:21416 right? please always try to
> include the GID:SID in posts like this...
>
> looking specifically for 1:21416 i see that VRT have it listed as disabled since
> at least 2012 Feb 21... that means that it should be available in the registered
> access rules set (latest is 2012 Oct 18) but i do not find it in the BOTNET-CNC
> rules as your message shows... instead, i find it in malware-cnc...
>
> since this is a GID 1 rule, it is easy to look at the rule to see what it is
> looking for... in this particular case, it is a http POST to /index.php with the
> string "MDAw" repeated 6 times with one more "MDA" on the end... you really
> should look at the pcaps for those alerts... you might want to use tcpdump to
> capture all the traffic so yo can see what's really going on...
>
>
> to find rules hint: grep -i -E "sid:\W*21416;" /path/to/your/rules/*.rules
>
> 21416 is the rule's SID you are looking for... i have the above as a bash shell
> script named lookuprule that you and others might find usable ;)
>
>
> #! /bin/bash
> # lookuprule bash script to find snort rules by sid
> grep -i -E "sid:\W*$1;" /path/to/your/rules/*.rules



------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!