[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] SIGS: Dridex Macro Docs in Emails
From: Darien Huss <dhuss () emergingthreats ! net>
Date: 2015-04-24 14:21:20
Message-ID: CAKcCgkVWfnwNKm4wxTjQG6M-wVdX03DRU_GZPe+KDNfGVhtjdg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Thanks for these Kevin,
These look like they will work from my limited testing, but I believe we
need to add some additional rules. I'll go into some detail here as we
already have multiple rules using this methodology and so hopefully it will
prove useful to others in the future should they come across those and are
not sure what is being matched! :)
Positioning of data in base64 encoded streams has an effect on the
resulting encoded data. Take for instance if we had some malicious text
that we wanted to match: "testtest". If we wanted to figure out the longest
string match to throw into an IDS rule we could do something like this:
$ echo testtest | base64
dGVzdHRlc3QK
$ echo testtest123 | base64
dGVzdHRlc3QxMjMK
$ echo testtestZ23 | base64
dGVzdHRlc3RaMjMK
So just eyeballing those results we come up with content:"dGVzdHRlc3"; .
The catch here is that this will only work if the remainder of position
divided by three is constant across all possible "testtest" positions.
"testtest" at the beginning of a buffer would be at position zero, so we
have: 0 % 3 = 0. Another position where this content match would work is at
three, 3 % 3 = 0. Let's test it:
$ echo 123testtest | base64
MTIz*dGVzdHRlc3*QK
What if we have "testtest" at a position % 3 = 1 or 2? (I added some filler
text at the end):
1 % 3 = 1:
$ echo 1testtest00000 | base64
MX*Rlc3R0ZXN0*MDAwMDAK
$ echo 'Ztesttest*$(#@' | base64
Wn*Rlc3R0ZXN0*KiQoI0AK
$ echo atesttestjfjkd | base64
YX*Rlc3R0ZXN0*amZqa2QK
2 % 3 = 1:
$ echo 11testtest00000 | base64
MTF*0ZXN0dGVzd*DAwMDAwCg==
$ echo aatesttestjfjkd | base64
YWF*0ZXN0dGVzd*GpmamtkCg==
$ echo 'ZZtesttest*$(#@' | base64
Wlp*0ZXN0dGVzd*CokKCNACg==
These are obviously small, limited tests, so if we script this up I think
it should look something like this (maybe there is a better way but this
works for me):
----------------
import os, base64, difflib
string_to_encode = 'testtest' #put your string here
def b64(encode):
return base64.b64encode(encode)
def longest(a, b):
match = difflib.SequenceMatcher(None, a, b)
m = match.find_longest_match(0, len(a), 0, len(b))
return a[m.a:m.a+m.size]
for t in [3, 4, 5]:
init_string1 = b64(os.urandom(t) + string_to_encode + os.urandom(6))
#initialize first string
for i in range(100):
init_string2 = b64(os.urandom(t) + string_to_encode + os.urandom(6))
init_string1 = longest(init_string1, init_string2)
print 'content:"' + init_string1 + '";'
----------------
$ python convert_string_b64_representations.py
content:"dGVzdHRlc3";
content:"Rlc3R0ZXN0";
content:"0ZXN0dGVzd";
Hopefully all that makes sense and is helpful to someone!
Cheers,
Darien
On Fri, Apr 24, 2015 at 7:43 AM, Kevin Ross <kevross33@googlemail.com>
wrote:
> These seem to be capable of detecting the Dridex Macros in emails as they
> have fired for me. Hopefully it will be able to find others too not
> specifically Dridex.
>
> alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Email
> Contains InternetOpen WinInet API Call - Potentially Dridex MalDoc";
> flow:established,to_server; content:"SW50ZXJuZXRPcGVu"; fast_pattern:only;
> classtype:trojan-activity; sid:156111; rev:1;)
>
> alert smtp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Email
> Contains wininet.dll Call - Potentially Dridex MalDoc";
> flow:established,to_server; content:"d2luaW5ldC5kbGw"; fast_pattern:only;
> classtype:trojan-activity; sid:156112; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div>Thanks for these Kevin,<br><br>These look like they will \
work from my limited testing, but I believe we need to add some additional rules. \
I'll go into some detail here as we already have multiple rules using this \
methodology and so hopefully it will prove useful to others in the future should they \
come across those and are not sure what is being matched! :)<br><br>Positioning of \
data in base64 encoded streams has an effect on the resulting encoded data. Take for \
instance if we had some malicious text that we wanted to match: "testtest". \
If we wanted to figure out the longest string match to throw into an IDS rule we \
could do something like this:<br><br>$ echo testtest | base64<br>dGVzdHRlc3QK<br>$ \
echo testtest123 | base64<br>dGVzdHRlc3QxMjMK<br>$ echo testtestZ23 | \
base64<br>dGVzdHRlc3RaMjMK<br><br></div><div>So just eyeballing those results we come \
up with content:"dGVzdHRlc3"; . The catch here is that this will only work \
if the remainder of position divided by three is constant across all possible \
"testtest" positions. "testtest" at the beginning of a buffer \
would be at position zero, so we have: 0 % 3 = 0. Another position where this content \
match would work is at three, 3 % 3 = 0. Let's test it:<br><br></div><div>$ echo \
123testtest | base64<br>MTIz<i><b>dGVzdHRlc3</b></i>QK<br></div><br></div><div>What \
if we have "testtest" at a position % 3 = 1 or 2? (I added some filler text \
at the end):<br><br>1 % 3 = 1:<br>$ echo 1testtest00000 | \
base64<br>MX<b>Rlc3R0ZXN0</b>MDAwMDAK<br>$ echo 'Ztesttest*$(#@' | \
base64<br>Wn<b>Rlc3R0ZXN0</b>KiQoI0AK<br></div><div><div>$ echo atesttestjfjkd | \
base64<br>YX<b>Rlc3R0ZXN0</b>amZqa2QK<br><br>2 % 3 = 1:<br>$ echo 11testtest00000 | \
base64<br>MTF<b>0ZXN0dGVzd</b>DAwMDAwCg==<br>$ echo aatesttestjfjkd | \
base64<br>YWF<b>0ZXN0dGVzd</b>GpmamtkCg==<br>$ echo 'ZZtesttest*$(#@' | \
base64<br>Wlp<b>0ZXN0dGVzd</b>CokKCNACg==<br><br></div><div>These are obviously \
small, limited tests, so if we script this up I think it should look something like \
this (maybe there is a better way but this works for \
me):<br><br>----------------<br>import os, base64, difflib<br><br>string_to_encode = \
'testtest' #put your string here<br><br>def b64(encode):<br> return \
base64.b64encode(encode)<br> <br>def longest(a, b):<br> match = \
difflib.SequenceMatcher(None, a, b)<br> m = match.find_longest_match(0, len(a), \
0, len(b))<br> return a[m.a:m.a+m.size]<br><br>for t in [3, 4, 5]:<br> \
init_string1 = b64(os.urandom(t) + string_to_encode + os.urandom(6)) #initialize \
first string<br> for i in range(100):<br> init_string2 = \
b64(os.urandom(t) + string_to_encode + os.urandom(6))<br> init_string1 = \
longest(init_string1, init_string2)<br> print 'content:"' + \
init_string1 + '";'<br>----------------<br><br></div><div>$ python \
convert_string_b64_representations.py \
<br>content:"dGVzdHRlc3";<br>content:"Rlc3R0ZXN0";<br>content:"0ZXN0dGVzd";<br></div><div><br>Hopefully \
all that makes sense and is helpful to \
someone!<br></div><br></div><div>Cheers,<br></div>Darien<br></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, Apr 24, 2015 at 7:43 AM, \
Kevin Ross <span dir="ltr"><<a href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div>These seem to be capable of detecting the \
Dridex Macros in emails as they have fired for me. Hopefully it will be able to find \
others too not specifically Dridex.<br><br>alert smtp $EXTERNAL_NET any -> \
$HOME_NET any (msg:"ET TROJAN Email Contains InternetOpen WinInet API Call - \
Potentially Dridex MalDoc"; flow:established,to_server; \
content:"SW50ZXJuZXRPcGVu"; fast_pattern:only; classtype:trojan-activity; \
sid:156111; rev:1;)<br><br></div><div>alert smtp $EXTERNAL_NET any -> $HOME_NET \
any (msg:"ET TROJAN Email Contains wininet.dll Call - Potentially Dridex \
MalDoc"; flow:established,to_server; content:"d2luaW5ldC5kbGw"; \
fast_pattern:only; classtype:trojan-activity; sid:156112; rev:1;)<br><br><br>Kind \
Regards,<br>Kevin Ross<br></div></div> \
<br>_______________________________________________<br> Emerging-sigs mailing \
list<br> <a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic