Re: [Snort-sigs] new Q signature

From: Jon (warchild@spoofed.org)
Date: 02/28/03

  • Next message: Ivan Hernandez: "Re: ids detect malicious encrypted data?"
    Date: Thu, 27 Feb 2003 23:08:01 -0500
    From: Jon <warchild@spoofed.org>
    To: snort-sigs@lists.sourceforge.net
    
    

    Its been nearly a month now, and I'm only slightly closer to getting to the
    bottom of this.

    As previously mentioned, I've been using the following rule to track any
    machines that spew packets containg 'cko', which is associated with the Q
    backdoor:

    alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Q-Backdoor
    traffic"; content:"cko"; depth:3; dsize:3;)

    I've compiled some information about this traffic in the hopes that it
    helps someone. Since my first email (beginning of Februrary), I've caught
    2042 packets coming into my network that tripped this signature.

    Common characteristics for all of these packets include:

    * all tcp
    * low ttl
    * ACK and PSH flags set
    * sequence # set
    * payload is "cko"

    In terms of most popular ports:

    Qty | Dst Port
    -----------------
    1184 80 (http)
    59 25 (smtp)
    11 993 (imaps)
    5 22 (ssh)

    Qty | Src Port
    -----------------
    629 80 (http)
    96 25 (smtp)
    33 443 (https)
    11 457 (scohelp via NCSA)

    In terms of most talkative hosts:

    Qty | IP | Comment(s)
    ----------------------------------------------------------------------------
    251 129.41.36.211 All from port 80 on an Apache webserver
    183 216.75.196.140 All from port 80 on an IIS (5.1) webserver
    88 80.15.172.140 All to port 80 on an Apache webserver
    84 63.126.62.14 All from port 80 on an IIS (5.0) webserver
    80 216.2.139.35 All to/from port 25 on a WorldMail mailserver

    Traffic leading up to the final 'cko' packets always seems very routine --
    your average web browse, mail traffic, etc. All source hosts that were not
    the server in the connection seem to be random dialup/dsl machines from
    around the globe.

    Any feedback or information about these (or other similar) "attacks" would
    be much appreciated, either publicly on this list or privately via email.

    Fyi and thanks,

    -jon

    -----------------------------------------------------------
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>