Sinowal, Torpig detection.

Unanswered Question
Jan 21st, 2010

I am running an SSM_10 and am curious does any konw the sig to block the torpig, sinowal rootkit. My ISP is telling me it is in our network but I can't seem to find it. I want to block the traffic, if possible via my IPS module.

Thanks,

D

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
clausonna Mon, 01/25/2010 - 12:53

Hi saw a few Torpig detections on my network about a week ago, but they were caught by a Snort IPS sensor running the Emerging Threat sigs.  The Cisco IPS sensors didn't blink an eye, but traditionally they don't for Trojan/Malware infections.  Cisco just doesn't seem to put much effort in developing malware/trojan; not sure why since I've caught MANY infected machines on my network with the ET sigs.

There are two ET sigs for Torpig (from http://emergingthreats.net/index.php/rules-mainmenu-38.html)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (x25)"; flow:established,to_server; uricontent:"/x25.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2002762; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (wur8)"; flow:established,to_server; uricontent:"/wur8.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2003066; rev:3;)

You can create a custom sig for it, using the HTTP engine, and doing an Argument Name RegEx that matches the URICONTENT fields in the ET sigs.  For example, using the ET sig above:

URI Regex: /wur8.php

URI Content:((?id=).*(&sv=).*(&ip=).*(&sport=).*(&hport=).*(&os=).*)

Cisco is big (and I agree) on making the detections case-insenstive, so you should really do: [^/][Ww][Uu][Rr][8]

Please be really careful with developing custom sigs, especially ones that use RegEx - you can really bork your Sensor.

george.goebel Thu, 02/18/2010 - 12:39

We have had and still have problems with it too.  We were elated when Cisco

FINALLY added the signatures to the IPS.  Of course, then we found out it didn

't work.   The IPS doesn't see it.

Hopefully, Cisco will fix this for its customer base.

Actions

This Discussion