Snort mailing list archives
Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound
From: Joe Gedeon <joe.gedeon () gmail com>
Date: Fri, 10 Oct 2014 09:51:18 -0400
Thanks Joel. We are now getting further hits for this with normal self signed certs on various appliances like Platinum NVR's. On Fri, Oct 10, 2014 at 9:02 AM, Joel Esler (jesler) <jesler () cisco com> wrote:
Thanks joe. We'll have a look. -- Joel Esler iPhone On Oct 10, 2014, at 08:52, Joe Gedeon <joe.gedeon () gmail com> wrote: We are getting a number of hits for this with Xerox printers connecting out to "layer7-prod.idns.xerox.com". Looking at the reference URL in the signature we are trying to figure out if there is a match here. The cert does match what the signature is looking for, but the reference url does not mention anything about ssl connections or certs. Could there be another reference url that was used to write this rule? Line 88 of the cert paste is the matching line that rule is triggering one. No other IOC's have been seen that match the reference url. Rule: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Win.Backdoor.Upatre SSL Cert inbound"; flow:to_client,established; content:"|55 04 08|"; content:"|0A|Some-State1!0"; within:14; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:url, www.virustotal.com/en/file/8f98fce6c20dbbe8a156e5a5b671066ccd0db240140e81d69d1a7205457605cb/analysis/; classtype:trojan-activity; sid:32124; rev:1;) Cert: openssl s_client -connect 13.13.56.126:443 CONNECTED(00000003) depth=2 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN= gateway.websrvs.xerox.com i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root 2 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root --- Server certificate -----BEGIN CERTIFICATE----- MIIMEjCCCvqgAwIBAgIQUkZPlDqIksH99dsBjAAKqDANBgkqhkiG9w0BAQUFADCB iTELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxLzAtBgNV BAMTJkNPTU9ETyBIaWdoLUFzc3VyYW5jZSBTZWN1cmUgU2VydmVyIENBMB4XDTE0 MDUwOTAwMDAwMFoXDTE1MDUwOTIzNTk1OVowggEXMQswCQYDVQQGEwJVUzEOMAwG A1UEERMFMDY4NTAxFDASBgNVBAgTC0Nvbm5lY3RpY3V0MRAwDgYDVQQHEwdOb3J3 YWxrMRkwFwYDVQQJExA0NSBHbG92ZXIgQXZlbnVlMRowGAYDVQQKExFYZXJveCBD b3Jwb3JhdGlvbjEbMBkGA1UECxMSV29ybGQgSGVhZHF1YXJ0ZXJzMTcwNQYDVQQL Ey5Jc3N1ZWQgdGhyb3VnaCBYZXJveCBDb3Jwb3JhdGlvbiBFLVBLSSBNYW5hZ2Vy MR8wHQYDVQQLExZVbmlmaWVkIENvbW11bmljYXRpb25zMSIwIAYDVQQDExlnYXRl d2F5LndlYnNydnMueGVyb3guY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB CgKCAQEA55X7kBDiOXYuZzoUGiWUv6MLdWDQv1jUPjh+9nP1EEPcmaiTviZGzDjR sSBcaZ7s/dAHpuaGk6cYq/yj4T0x65ctfaxXawTXeAtb+5c89vzur2K8hLdl14Xc bjxVHWD0eybuNPdyGuOGURaGuuA0IWSQlWI7eGvMqZyE6Jks76DMXsZ/VAg/ewtZ AqYLnFVXB8kxCY7xaChun65xDEzVrpV87zJgHX+TTupal0rhIsS1/2dxj6qFVLrV xal5Ba9OKKzCX4EZNlD1IYctjcXZyf1oOXPbdLWJLRsuKTAZ+pViLLINF6Wcs8zv 4BbwKiviO3aTVyR/QJ5Z5Oq2JHi7BwIDAQABo4IH4zCCB98wHwYDVR0jBBgwFoAU P9W10NZEeVBKF6ObjErcuLAiZGswHQYDVR0OBBYEFJBATBPDLWyHubszz5WAS7YC 8/NwMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsG AQUFBwMBBggrBgEFBQcDAjBQBgNVHSAESTBHMDsGDCsGAQQBsjEBAgEDBDArMCkG CCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQUzAIBgZngQwB AgIwTwYDVR0fBEgwRjBEoEKgQIY+aHR0cDovL2NybC5jb21vZG9jYS5jb20vQ09N T0RPSGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcmwwgYAGCCsGAQUFBwEB BHQwcjBKBggrBgEFBQcwAoY+aHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RP SGlnaC1Bc3N1cmFuY2VTZWN1cmVTZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0 dHA6Ly9vY3NwLmNvbW9kb2NhLmNvbTCCBjgGA1UdEQSCBi8wggYrghlnYXRld2F5 LndlYnNydnMueGVyb3guY29tgiBnYXRlc3RhZ2UtdGVzdC53ZWJzcnZzLnhlcm94 LmNvbYIbZ2F0ZXN0YWdlLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwMS53 ZWJzcnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDIud2Vic3J2cy54ZXJveC5jb22C HWdhdGVzdGFnZTAzLndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNC53ZWJz cnZzLnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDUud2Vic3J2cy54ZXJveC5jb22CHWdh dGVzdGFnZTA2LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UwNy53ZWJzcnZz Lnhlcm94LmNvbYIdZ2F0ZXN0YWdlMDgud2Vic3J2cy54ZXJveC5jb22CHWdhdGVz dGFnZTA5LndlYnNydnMueGVyb3guY29tgh1nYXRlc3RhZ2UxMC53ZWJzcnZzLnhl cm94LmNvbYIeZ2F0ZXdheS10ZXN0LndlYnNydnMueGVyb3guY29tghtnYXRld2F5 MDEud2Vic3J2cy54ZXJveC5jb22CG2dhdGV3YXkwMi53ZWJzcnZzLnhlcm94LmNv bYIbZ2F0ZXdheTAzLndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDQud2Vic3J2 cy54ZXJveC5jb22CG2dhdGV3YXkwNS53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdh eTA2LndlYnNydnMueGVyb3guY29tghtnYXRld2F5MDcud2Vic3J2cy54ZXJveC5j b22CG2dhdGV3YXkwOC53ZWJzcnZzLnhlcm94LmNvbYIbZ2F0ZXdheTA5LndlYnNy dnMueGVyb3guY29tghtnYXRld2F5MTAud2Vic3J2cy54ZXJveC5jb22CIG1kdC1z dGFnZS10ZXN0LnN1cHBvcnQueGVyb3guY29tghttZHQtc3RhZ2Uuc3VwcG9ydC54 ZXJveC5jb22CGm1kdC10ZXN0LnN1cHBvcnQueGVyb3guY29tghVtZHQuc3VwcG9y dC54ZXJveC5jb22CG3JlbXNlcnYwMC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2Vy djAxLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MDIuc3VwcG9ydC54ZXJveC5j b22CG3JlbXNlcnYwMy5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA0LnN1cHBv cnQueGVyb3guY29tghtyZW1zZXJ2MDUuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNl cnYwNi5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjA3LnN1cHBvcnQueGVyb3gu Y29tghtyZW1zZXJ2MDguc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYwOS5zdXBw b3J0Lnhlcm94LmNvbYIbcmVtc2VydjEwLnN1cHBvcnQueGVyb3guY29tghtyZW1z ZXJ2MTEuc3VwcG9ydC54ZXJveC5jb22CG3JlbXNlcnYxMi5zdXBwb3J0Lnhlcm94 LmNvbYIbcmVtc2VydjEzLnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTQuc3Vw cG9ydC54ZXJveC5jb22CG3JlbXNlcnYxNS5zdXBwb3J0Lnhlcm94LmNvbYIbcmVt c2VydjE2LnN1cHBvcnQueGVyb3guY29tghtyZW1zZXJ2MTcuc3VwcG9ydC54ZXJv eC5jb22CG3JlbXNlcnYxOC5zdXBwb3J0Lnhlcm94LmNvbYIbcmVtc2VydjE5LnN1 cHBvcnQueGVyb3guY29tgiBzdXMtc3RhZ2UtdGVzdC5zdXBwb3J0Lnhlcm94LmNv bYIbc3VzLXN0YWdlLnN1cHBvcnQueGVyb3guY29tghpzdXMtdGVzdC5zdXBwb3J0 Lnhlcm94LmNvbYIVc3VzLnN1cHBvcnQueGVyb3guY29tght3d3cucGF3cy5leHRl cm5hbC54ZXJveC5jb22CEnd3dy5wYXdzLnhlcm94LmNvbTANBgkqhkiG9w0BAQUF AAOCAQEAqm/9jwwwtyzUdPlVIDiLQa6808++cNoA3EOOGJR4FibpY22hmBHrWpY0 Ls1RUbcDPWn8wLNl/pS820LFdIX7I231+tr9YxMYVx9DdqhrAeBWy8VB+7+LvgOI FK5OE93aq+LJhqhK0wJb0a2jIbUtm8klvFR+efr6kHWAone+XoMcPHX00tjwpG/+ jadBIHCg/bzNq1z5dsBbtmY/AkewIAex276RR2KoVIIUD8ejIlf1wV5Lt7YXPmf6 /WHnWjHmVQF1wYaqAPhc8X8FGgmZCcCksTIWJmBNMXurHfuljjYPFKfYNFmdE3u7 FlP+5YmXqVYEYcrt99+I1zhoWsfzIQ== -----END CERTIFICATE----- subject=/C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN= gateway.websrvs.xerox.com issuer=/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA --- Acceptable client certificate CA names /C=US/ST=Illinois/L=Chicago/O=BigMachines Inc. /OU=Operations/CN= bigmachines.self.xerox.com /C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=MobilePro-VQ /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA /C=US/O=GeoTrust, Inc./CN=RapidSSL CA /C=US/O=GeoTrust, Inc./CN=GeoTrust SSL CA /CN=layer7-prod.idns.xerox.com /C=US/O=GeoTrust Inc./CN=GeoTrust Global CA /C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA /O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048) /C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU= http://certs.godaddy.com/repository//CN=Go Daddy Secure Certificate Authority - G2 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5 /C=US/O=Entrust.net/OU=www.entrust.net/CPS incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Secure Server Certification Authority /C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High-Assurance Secure Server CA /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification Authority /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 1999 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 1 Public Primary Certification Authority - G3 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/CN=USERTrust Legacy Secure Server CA /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root /C=US/O=Xerox Corp./CN=Xerox Web Services CA /C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA /C=US/O=Thawte, Inc./CN=Thawte SSL CA /C=US/ST=LOUISIANA/L=HAMMOND/O=BARRISTER GLOBAL SERVICES NETWORK, INC./OU=CLEARVIEW/OU=Terms of use at www.verisign.com/rpa (c)05/CN= PARTNERS.GLOBALSERVNET.COM /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=InstantSSL/CN=xyzzy.xerox.com /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=PremiumSSL Wildcard/CN=*.services.xerox.com /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Organization Validation Secure Server CA /C=US/postalCode=06856-4505/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=InstantSSL/CN=infocareprod.eur.xerox.com /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3 /C=US/O=Symantec Corporation/OU=Symantec Trust Network/OU=Persona Not Validated/CN=Symantec Class 1 Individual Subscriber CA - G4 /C=US/postalCode=06850/ST=Connecticut/L=Norwalk/street=45 Glover Avenue/O=Xerox Corporation/OU=World Headquarters/OU=Issued through Xerox Corporation E-PKI Manager/OU=Unified Communications/CN= gateway.websrvs.xerox.com --- SSL handshake has read 11302 bytes and written 567 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.1 Cipher : DHE-RSA-AES256-SHA Session-ID: 5437C7EAED1FB9A47597AB4A3E9E953125EC90075253412053534C4A20202020 Session-ID-ctx: Master-Key: E850153DA8C022FFFACA1459CBFF820B98369F907FF5D7409305B1AF75CB2F13966A4B7859989FBB7A9B0B16960E809C Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1412941720 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- closed -- Registered Linux User # 379282 ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
-- Registered Linux User # 379282
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joe Gedeon (Oct 10)
- Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joel Esler (jesler) (Oct 10)
- Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joe Gedeon (Oct 10)
- Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joe Gedeon (Oct 13)
- Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joel Esler (jesler) (Oct 13)
- Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Jamie Riden (Oct 13)
- Re: SID:32124 BLACKLIST Win.Backdoor.Upatre SSL Cert inbound Joel Esler (jesler) (Oct 10)