Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Sinowal, Torpig detection.

I am running an SSM_10 and am curious does any konw the sig to block the torpig, sinowal rootkit. My ISP is telling me it is in our network but I can't seem to find it. I want to block the traffic, if possible via my IPS module.

Thanks,

D

2 REPLIES
Bronze

Re: Sinowal, Torpig detection.

Hi saw a few Torpig detections on my network about a week ago, but they were caught by a Snort IPS sensor running the Emerging Threat sigs.  The Cisco IPS sensors didn't blink an eye, but traditionally they don't for Trojan/Malware infections.  Cisco just doesn't seem to put much effort in developing malware/trojan; not sure why since I've caught MANY infected machines on my network with the ET sigs.

There are two ET sigs for Torpig (from http://emergingthreats.net/index.php/rules-mainmenu-38.html)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (x25)"; flow:established,to_server; uricontent:"/x25.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2002762; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (wur8)"; flow:established,to_server; uricontent:"/wur8.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2003066; rev:3;)

You can create a custom sig for it, using the HTTP engine, and doing an Argument Name RegEx that matches the URICONTENT fields in the ET sigs.  For example, using the ET sig above:

URI Regex: /wur8.php

URI Content:((?id=).*(&sv=).*(&ip=).*(&sport=).*(&hport=).*(&os=).*)

Cisco is big (and I agree) on making the detections case-insenstive, so you should really do: [^/][Ww][Uu][Rr][8]

Please be really careful with developing custom sigs, especially ones that use RegEx - you can really bork your Sensor.

New Member

Re: Sinowal, Torpig detection.

We have had and still have problems with it too.  We were elated when Cisco

FINALLY added the signatures to the IPS.  Of course, then we found out it didn

't work.   The IPS doesn't see it.

Hopefully, Cisco will fix this for its customer base.

2458
Views
0
Helpful
2
Replies