Snort mailing list archives

SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound

From: Joe Gedeon <joe.gedeon () gmail com>
Date: Fri, 10 Oct 2014 08:47:32 -0400

We are getting a number of hits for this with Xerox printers connecting out
to "layer7-prod.idns.xerox.com".  Looking at the reference URL in the
signature we are trying to figure out if there is a match here.  The cert
does match what the signature is looking for, but the reference url does
not mention anything about ssl connections or certs.  Could there be
another reference url that was used to write this rule?

Line 88 of the cert paste is the matching line that rule is triggering
one.  No other IOC's have been seen that match the reference url.

Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST
Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established;
content:"|55 04 08|"; content:"|0A|Some-State1!0"; within:14; distance:1;
metadata:policy balanced-ips drop, policy security-ips drop, service ssl;
reference:url,
www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/;
classtype:trojan-activity; sid:32124; rev:1;)


Cert:
openssl s_client -connect 13.13.56.126:443
CONNECTED(00000003)
depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN =
AddTrust External CA Root
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
Corporation E-PKI Manager/OU=Unified Communications/CN=
gateway.websrvs.xerox.com
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Assurance Secure Server CA
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Assurance Secure Server CA
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust
External CA Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIMEjCCCvqgAwIBAgIQUkZPlDqIksH99dsBjAAKqDANBgkqhkiG9w0BAQUFADCB
iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV
BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTE0
MDUwOTAwMDAwMFoXDTE1MDUwOTIzNTk1OVowggEXMQswCQYDVQQGEwJVUzEOMAwG
A1UEERMFMDY4NTAxFDASBgNVBAgTC0Nvbm5lY3RpY3V0MRAwDgYDVQQHEwdOb3J3
YWxrMRkwFwYDVQQJExA0NSBHbG92ZXIgQXZlbnVlMRowGAYDVQQKExFYZXJveCBD
b3Jwb3JhdGlvbjEbMBkGA1UECxMSV29ybGQgSGVhZHF1YXJ0ZXJzMTcwNQYDVQQL
Ey5Jc3N1ZWQgdGhyb3VnaCBYZXJveCBDb3Jwb3JhdGlvbiBFLVBLSSBNYW5hZ2Vy
MR8wHQYDVQQLExZVbmlmaWVkIENvbW11bmljYXRpb25zMSIwIAYDVQQDExlnYXRl
d2F5LndlYnNydnMueGVyb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEA55X7kBDiOXYuZzoUGiWUv6MLdWDQv1jUPjh+9nP1EEPcmaiTviZGzDjR
sSBcaZ7s/dAHpuaGk6cYq/yj4T0x65ctfaxXawTXeAtb+5c89vzur2K8hLdl14Xc
bjxVHWD0eybuNPdyGuOGURaGuuA0IWSQlWI7eGvMqZyE6Jks76DMXsZ/VAg/ewtZ
AqYLnFVXB8kxCY7xaChun65xDEzVrpV87zJgHX+TTupal0rhIsS1/2dxj6qFVLrV
xal5Ba9OKKzCX4EZNlD1IYctjcXZyf1oOXPbdLWJLRsuKTAZ+pViLLINF6Wcs8zv
4BbwKiviO3aTVyR/QJ5Z5Oq2JHi7BwIDAQABo4IH4zCCB98wHwYDVR0jBBgwFoAU
P9W10NZEeVBKF6ObjErcuLAiZGswHQYDVR0OBBYEFJBATBPDLWyHubszz5WAS7YC
8/NwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG
CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB
AgIwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N
T0RPSGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcmwwgYAGCCsGAQUFBwEB
BHQwcjBKBggrBgEFBQcwAoY+aHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RP
SGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTCCBjgGA1UdEQSCBi8wggYrghlnYXRld2F5
LndlYnNydnMueGVyb3guY29tgiBnYXRlc3RhZ2UtdGVzdC53ZWJzcnZzLnhlcm94
LmNvbYIbZ2F0ZXN0YWdlLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwMS53
ZWJzcnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDIud2Vic3J2cy54ZXJveC5jb22C
HWdhdGVzdGFnZTAzLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNC53ZWJz
cnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDUud2Vic3J2cy54ZXJveC5jb22CHWdh
dGVzdGFnZTA2LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNy53ZWJzcnZz
Lnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDgud2Vic3J2cy54ZXJveC5jb22CHWdhdGVz
dGFnZTA5LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UxMC53ZWJzcnZzLnhl
cm94LmNvbYIeZ2F0ZXdheS10ZXN0LndlYnNydnMueGVyb3guY29tghtnYXRld2F5
MDEud2Vic3J2cy54ZXJveC5jb22CG2dhdGV3YXkwMi53ZWJzcnZzLnhlcm94LmNv
bYIbZ2F0ZXdheTAzLndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDQud2Vic3J2
cy54ZXJveC5jb22CG2dhdGV3YXkwNS53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdh
eTA2LndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDcud2Vic3J2cy54ZXJveC5j
b22CG2dhdGV3YXkwOC53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdheTA5LndlYnNy
dnMueGVyb3guY29tghtnYXRld2F5MTAud2Vic3J2cy54ZXJveC5jb22CIG1kdC1z
dGFnZS10ZXN0LnN1cHBvcnQueGVyb3guY29tghttZHQtc3RhZ2Uuc3VwcG9ydC54
ZXJveC5jb22CGm1kdC10ZXN0LnN1cHBvcnQueGVyb3guY29tghVtZHQuc3VwcG9y
dC54ZXJveC5jb22CG3JlbXNlcnYwMC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2Vy
djAxLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MDIuc3VwcG9ydC54ZXJveC5j
b22CG3JlbXNlcnYwMy5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA0LnN1cHBv
cnQueGVyb3guY29tghtyZW1zZXJ2MDUuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNl
cnYwNi5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA3LnN1cHBvcnQueGVyb3gu
Y29tghtyZW1zZXJ2MDguc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYwOS5zdXBw
b3J0Lnhlcm94LmNvbYIbcmVtc2VydjEwLnN1cHBvcnQueGVyb3guY29tghtyZW1z
ZXJ2MTEuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYxMi5zdXBwb3J0Lnhlcm94
LmNvbYIbcmVtc2VydjEzLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTQuc3Vw
cG9ydC54ZXJveC5jb22CG3JlbXNlcnYxNS5zdXBwb3J0Lnhlcm94LmNvbYIbcmVt
c2VydjE2LnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTcuc3VwcG9ydC54ZXJv
eC5jb22CG3JlbXNlcnYxOC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjE5LnN1
cHBvcnQueGVyb3guY29tgiBzdXMtc3RhZ2UtdGVzdC5zdXBwb3J0Lnhlcm94LmNv
bYIbc3VzLXN0YWdlLnN1cHBvcnQueGVyb3guY29tghpzdXMtdGVzdC5zdXBwb3J0
Lnhlcm94LmNvbYIVc3VzLnN1cHBvcnQueGVyb3guY29tght3d3cucGF3cy5leHRl
cm5hbC54ZXJveC5jb22CEnd3dy5wYXdzLnhlcm94LmNvbTANBgkqhkiG9w0BAQUF
AAOCAQEAqm/9jwwwtyzUdPlVIDiLQa6808++cNoA3EOOGJR4FibpY22hmBHrWpY0
Ls1RUbcDPWn8wLNl/pS820LFdIX7I231+tr9YxMYVx9DdqhrAeBWy8VB+7+LvgOI
FK5OE93aq+LJhqhK0wJb0a2jIbUtm8klvFR+efr6kHWAone+XoMcPHX00tjwpG/+
jadBIHCg/bzNq1z5dsBbtmY/AkewIAex276RR2KoVIIUD8ejIlf1wV5Lt7YXPmf6
/WHnWjHmVQF1wYaqAPhc8X8FGgmZCcCksTIWJmBNMXurHfuljjYPFKfYNFmdE3u7
FlP+5YmXqVYEYcrt99+I1zhoWsfzIQ==
-----END CERTIFICATE-----
subject=/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
Corporation E-PKI Manager/OU=Unified Communications/CN=
gateway.websrvs.xerox.com
issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Assurance Secure Server CA
---
Acceptable client certificate CA names
/C=US/ST=Illinois/L=Chicago/O=BigMachines Inc. /OU=Operations/CN=
bigmachines.self.xerox.com
/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MobilePro-VQ
/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
/C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA
/CN=layer7-prod.idns.xerox.com
/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification
Authority (2048)
/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=
http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate
Authority - G2
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc.
- For authorized use only/CN=VeriSign Class 3 Public Primary Certification
Authority - G5
/C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits
liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server
Certification Authority
/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by
reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO
High-Assurance Secure Server CA
/C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc.
- For authorized use only/CN=VeriSign Class 1 Public Primary Certification
Authority - G3
/C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy
Secure Server CA
/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External
CA Root
/C=US/O=Xerox Corp./CN=Xerox Web Services CA
/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte,
Inc. - For authorized use only/CN=thawte Primary Root CA
/C=US/O=Thawte, Inc./CN=Thawte SSL CA
/C=US/ST=LOUISIANA/L=HAMMOND/O=BARRISTER GLOBAL SERVICES NETWORK,
INC./OU=CLEARVIEW/OU=Terms of use at www.verisign.com/rpa (c)05/CN=
PARTNERS.GLOBALSERVNET.COM
/C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
Corporation E-PKI Manager/OU=InstantSSL/CN=xyzzy.xerox.com
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Certification Authority
/C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
Corporation E-PKI Manager/OU=PremiumSSL Wildcard/CN=*.services.xerox.com
/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA
Organization Validation Secure Server CA
/C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover
Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
Corporation E-PKI Manager/OU=InstantSSL/CN=infocareprod.eur.xerox.com
/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at
https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server
CA - G3
/C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not
Validated/CN=Symantec Class 1 Individual Subscriber CA - G4
/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover
Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox
Corporation E-PKI Manager/OU=Unified Communications/CN=
gateway.websrvs.xerox.com
---
SSL handshake has read 11302 bytes and written 567 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID:
5437C7EAED1FB9A47597AB4A3E9E953125EC90075253412053534C4A20202020
    Session-ID-ctx:
    Master-Key:
E850153DA8C022FFFACA1459CBFF820B98369F907FF5D7409305B1AF75CB2F13966A4B7859989FBB7A9B0B16960E809C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1412941720
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)
---
closed
-- 
Registered Linux User # 379282

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joe Gedeon (Oct 10)
- Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joel Esler (jesler) (Oct 10)
  - Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joe Gedeon (Oct 10)
  - Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joe Gedeon (Oct 13)
    - Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joel Esler (jesler) (Oct 13)
    - Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Jamie Riden (Oct 13)