cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2995
Views
0
Helpful
2
Replies

Sinowal, Torpig detection.

ddevecka
Level 1
Level 1

I am running an SSM_10 and am curious does any konw the sig to block the torpig, sinowal rootkit. My ISP is telling me it is in our network but I can't seem to find it. I want to block the traffic, if possible via my IPS module.

Thanks,

D

2 Replies 2

clausonna
Level 3
Level 3

Hi saw a few Torpig detections on my network about a week ago, but they were caught by a Snort IPS sensor running the Emerging Threat sigs.  The Cisco IPS sensors didn't blink an eye, but traditionally they don't for Trojan/Malware infections.  Cisco just doesn't seem to put much effort in developing malware/trojan; not sure why since I've caught MANY infected machines on my network with the ET sigs.

There are two ET sigs for Torpig (from http://emergingthreats.net/index.php/rules-mainmenu-38.html)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (x25)"; flow:established,to_server; uricontent:"/x25.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2002762; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (wur8)"; flow:established,to_server; uricontent:"/wur8.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2003066; rev:3;)

You can create a custom sig for it, using the HTTP engine, and doing an Argument Name RegEx that matches the URICONTENT fields in the ET sigs.  For example, using the ET sig above:

URI Regex: /wur8.php

URI Content:((?id=).*(&sv=).*(&ip=).*(&sport=).*(&hport=).*(&os=).*)

Cisco is big (and I agree) on making the detections case-insenstive, so you should really do: [^/][Ww][Uu][Rr][8]

Please be really careful with developing custom sigs, especially ones that use RegEx - you can really bork your Sensor.

george.goebel
Level 1
Level 1

We have had and still have problems with it too.  We were elated when Cisco

FINALLY added the signatures to the IPS.  Of course, then we found out it didn

't work.   The IPS doesn't see it.

Hopefully, Cisco will fix this for its customer base.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: