Friday, November 13, 2015

Win.Trojan.Boaxxe Snort Rule

Quick little run down of a Boaxxe Snort rule and why it fired. Hopefully it's useful for those researching Boaxxe as well as for those just trying to understand Snort rules. Sample pasted here.

Let's say an end user navigates to this url.

GET http://lax1.ib.adnxs.com/vevent?e=wqT_3QLhBPB-WAIAAAIA1gAFCMyakrIFEJDU8s2rh9LdRRiJzZngzonb7EggASotCVQax2dnmSRAETXuzW-YICJAGQAAAAAAAFBAIYKGd6JWSkZAKdoYn7h5VElAMNie3gE4ywNAhhNIAlCiiY4RWLKuH2AAaMDIAXi55wOAAQGKAQNVU0SSAQEG8FqYAawCoAH6AagBAbABALgBAsABBcgBANABANgBAOABAPABAPoBBTM2MzIwigJYdWYoJ2EnLCAzNjE0NDIsIDE0NDczMzMxOTcpO3VmKCdjJywgMTA2MzA4MDEsQh4AAHIBOhw1ODgyMTQ2LDIeAPCNkgLBASF5Q3NKV3dpUjdZZ0ZFS0tKamhFWUFDQ3lyaDh3QURnQVFBQkloaE5RMko3ZUFWZ0FZT2tEYUFCd0JuaUlRWUFCQ0lnQmlFR1FBUUdZQVFHZ0FRR29BUU93QVFDNUFkb1luN2g1VkVsQXdRSGFHSi00ZVZSSlFNa0IwMkVvZGhBMjhEX1pBUUFBQQEDZFBBXzRBSEY3UTdxQVFjeU5EazRNelkyOVFFAR58QWdBSUJpQUstdnBnQmtBSUJtQUlLmgIdIXBRVkVOUWkyxADwenNxNGZJQUEu2AKVBOAC24Qd6gIkaHR0cDovL215LnhmaW5pdHkuY29tLz9jaWQ9Y3VzdCZ0cz0zgAMAiAMBkAPdqwOYAwygAwGqAwCwAwC4AwDAA6wCyAMA2APmllbgAwDoAwDwAwD4AwOABACSBAgvcnViaWNvbpgEAA..&s=ef52c870b9d5df7c528b188c673193e6a6cb7d3d&referrer=http%3A%2F%2Fmy.xfinity.com%2F%3Fcid%3Dcust%26ts%3D3&type=nv&nvt=5&bw=0&bh=0&sw=1536&sh=864&pw=1536&ph=3662&ww=1519&wh=719&ft=2&sv=27&tv=view5-1&ua=ie9&pl=win&x=1447333198455830943,279999,v,win,ie9,view5-1,0,,2 HTTP/1.1
Accept: */*
Origin: http://my.xfinity.com
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: lax1.ib.adnxs.com
Proxy-Connection: Keep-Alive
Pragma: no-cache


And this snort rule triggered on your IDS. You might ask why?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established; urilen:485<>520; content:!"/"; offset:1; http_raw_uri; content:!"."; http_uri; content:"%2f"; http_raw_uri; content:"%2b"; http_raw_uri; content:"|20|MSIE|20|"; fast_pattern:only; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30495; rev:1; )

Let's pick it apart below.

tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
flow:to_server,established;


It must be tcp traffic. It must be from your internal network outbound. It must be web ports (80, 443, etc.). It must be an established connection to server (same as from client). Yep all those match so far.

urilen:485<>520;

Must be a very long url (between 485 and 520 characters). Yep.

content:!"/"; offset:1; http_raw_uri;

Must not contain a / (essentially a sub folder in the url).. Yep still good.

content:!"."; http_uri;

Must not contain a . (essentially a file extension like .php, .aspx, etc. in the url). Yep still good.

content:"%2f"; http_raw_uri;

Must contain an html encoded / (written exactly as %2f). Yep still good.

content:"%2b"; http_raw_uri;

Must contain an html encoded + (written exactly as %2b). Yep still good.

content:"|20|MSIE|20|"; fast_pattern:only; http_header;

Must contain MSIE in the header. This likely means Internet Explorer in the User Agent. Yep still good.

content:!"Referer:"; http_header;

Must not contain a Referrer in the header. Meaning the user did not click from a different page to this, instead it was a direct call. Yep good.

metadata:impact_flag red, service http;
classtype:trojan-activity;


The rule is over, this is just metadata used by Snort and the IDS to categorize this rule.

reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf;

This is amazing documentation for this rule. I wish more snort rule developers would supply good documentation!

sid:30495; rev:1;

This is just a unique id for the snort rule, followed by the revision number. In this case it's the 1st version of this rule.



More about neonprimetime


Top Blogs of all-time
  1. ali.txt php injection walk-thru
  2. pagerank botnet sql injection walk-thru
  3. apache struts2 rce walk-thru


Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

1 comment:

  1. Hi could you explain why the rule triggered with content:!"." but there are several "." characters in the URI? Thanks.

    ReplyDelete