Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Signatures detecting PHP backdoor traffic

From: Bart Broere <mail () bartbroere eu>
Date: Sun, 31 Dec 2023 15:10:49 +0100
Hi fellow Snort Sigs subscribers,

This is my first submission here, so I hope this is the right place to
contribute new signatures.

This week I analyzed a PHP malware sample that was installed on a
Wordpress host.
It functioned as a backdoor, allowing attackers to execute code on the host.
Some of the functionality of the malware is that it responds with the
MD5 hash of 47712 (6a59bb58c6c03d5103d44f3b7e5ebf07) when the GET
parameter 47712 or 673435 is supplied.
That behaviour can be converted to snort rules:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"SERVER-WEBAPP PHP backdoor check of successful installation
using GET parameter 47712"; flow:to_server,established; content:"GET
/"; http_uri; content:"47712="; http_uri;
classtype:web-application-activity;
reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/;
sid:1000001;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS
(msg:"SERVER-WEBAPP PHP backdoor check of successful installation
using GET parameter 673435"; flow:to_server,established; content:"GET
/"; http_uri; content:"673435="; http_uri;
classtype:web-application-activity;
reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/;
sid:1000002;)

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"SERVER-WEBAPP Indication of a successful PHP backdoor check,
server responds with 6a59bb58c6c03d5103d44f3b7e5ebf07";
flow:to_client,established;
content:"6a59bb58c6c03d5103d44f3b7e5ebf07"; http_client_body;
reference:url,bartbroere.eu/2023/12/31/php-backdoor-malware/;
sid:1000003;)

There's some potential for false positives with these rules, but not a
lot. Numeric GET keys and an MD5 hash of an integer are already
slightly suspect. The detection could also benefit from dynamic rules
probably, where hitting rule 1 or 2 would be a requirement for rule 3
to raise an alert. Unless I'm mistaken the community ruleset does not
yet include any dynamic rules. Let me know if it's possible to use
mechanisms like activates/activated_by, and I'll happily convert them.

I published a full write-up on the malware here:
https://bartbroere.eu/2023/12/31/php-backdoor-malware/
This page also has references to earlier research. I'm especially
thankful for all the samples collected by Bruce Ediger.

I don't have any packet captures of this happening, but I could
generate them by running the malware in a sandbox.

Let me know if you have any questions or remarks, and whether these
rules can be contributed to the Community Rules.

Best regards,
Bart Broere
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: