Yesterday I found in our sandnet a proxybot that is using port 80 in a different way. The agent makes an outbound connection, checks in, and then acts as a proxy on that same connection. This allows the c&c to connect to boxes behind firewalls, or behind software firewalls, and still have full proxy control to send mail, http, etc.

The following rules will detect. They are in current_events for now, but once we have a good name for the agent and these are proven stable, they’ll go to the regular sets.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Initial Packet”; flow:established,to_server; dsize:24; content:”|9a 02 06 00|”; offset:0; depth:4; flowbits:set,BS.BPcheckin; flowbits:noalert; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006396; sid:2006395; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Connect Command Packet”; flowbits:isset,BS.BPcheckin; flow:established,from_server; dsize:10; content:”|9a 02 07 00|”; offset:0; depth:4; flowbits:set,BS.BPset; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006396; sid:2006396; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Successful Connect Packet Packet”; flowbits:isset,BS.BPset; flow:established,to_server; dsize:16; content:”|9a 02 08 00|”; offset:0; depth:4; flowbits:set,BS.BPcheckin; tag:session; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006396; sid:2006397; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Checkin Packet”; flow:established,to_server; dsize:30; content:”|9a 02 01 00|”; offset:0; depth:4; flowbits:set,BS.BPcheckin1; flowbits:noalert; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006396; sid:2006398; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:”BLEEDING-EDGE CURRENT_EVENTS Unknown Proxy Method/Bot Checkin Success Packet”; flowbits:isset,BS.BPcheckin1; flow:established,from_server; dsize:4; content:”|9a 02 05 00|”; offset:0; depth:4; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006396; sid:2006399; rev:1;)

Matt

This entry was posted on Monday, July 16th, 2007 at 9:30 pm and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.