Sinowal, Torpig detection.

ddevecka — Sun, 10 Mar 2019 11:52:10 GMT

I am running an SSM_10 and am curious does any konw the sig to block the torpig, sinowal rootkit. My ISP is telling me it is in our network but I can't seem to find it. I want to block the traffic, if possible via my IPS module.

Thanks,

Re: Sinowal, Torpig detection.

clausonna — Mon, 25 Jan 2010 20:53:32 GMT

Hi saw a few Torpig detections on my network about a week ago, but they were caught by a Snort IPS sensor running the Emerging Threat sigs. The Cisco IPS sensors didn't blink an eye, but traditionally they don't for Trojan/Malware infections. Cisco just doesn't seem to put much effort in developing malware/trojan; not sure why since I've caught MANY infected machines on my network with the ET sigs.

There are two ET sigs for Torpig (from http://emergingthreats.net/index.php/rules-mainmenu-38.html)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (x25)"; flow:established,to_server; uricontent:"/x25.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2002762; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2002762; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Torpig Reporting User Activity (wur8)"; flow:established,to_server; uricontent:"/wur8.php"; nocase; uricontent:"?id="; nocase; uricontent:"&sv="; nocase; uricontent:"&ip="; nocase; uricontent:"&sport="; nocase; uricontent:"&hport="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/trojtorpigr.html; reference:url,doc.emergingthreats.net/2003066; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Torpig; sid:2003066; rev:3;)

You can create a custom sig for it, using the HTTP engine, and doing an Argument Name RegEx that matches the URICONTENT fields in the ET sigs. For example, using the ET sig above:

URI Regex: /wur8.php

URI Content:((?id=).*(&sv=).*(&ip=).*(&sport=).*(&hport=).*(&os=).*)

Cisco is big (and I agree) on making the detections case-insenstive, so you should really do: [^/][Ww][Uu][Rr][8]

Please be really careful with developing custom sigs, especially ones that use RegEx - you can really bork your Sensor.

Re: Sinowal, Torpig detection.

george.goebel — Thu, 18 Feb 2010 20:39:32 GMT

We have had and still have problems with it too. We were elated when Cisco

FINALLY added the signatures to the IPS. Of course, then we found out it didn

't work. The IPS doesn't see it.

Hopefully, Cisco will fix this for its customer base.

topic Re: Sinowal, Torpig detection. in Network Security

Sinowal, Torpig detection.

Re: Sinowal, Torpig detection.

Re: Sinowal, Torpig detection.