IPS not detecting Poison Ivy

jerryshenk · ‎09-20-2013

Has anybody tested the Poison Ivy RAT against the Cisco IDS/IPS? I have an XP workstation inside a network that is currently connected to a Pioson Ivy server listening on the default port 3460. Doing nothing fancy...no special traffic hiding, didn't even change the default port. The IDS doesn't care. I did a search through the site and I don't find any signatures related to Poison Ivy. Can it be try that the Cisco IDS doesn't detect this?

Update:

The Cisco TAC engineer verified that traffic is being captured and that there is no matching signature.

ruppala · ‎09-21-2013

Jerry, The signature team is looking into this. I will provide you with an update once I have additional information.

-Roopesh

IPS signature team

jerryshenk · ‎09-23-2013

Thanks. A case was opened on this also....don't know if that information would be helpful or not. It's not under my contact but if you want that info, e-mail me.

_____Adam · ‎09-28-2013

Jerry,

Unfortunately Poison Ivy encrypts its C&C traffic so the IPS has no visibility into its traffic. If you can supply a pcap of any unique Poison Ivy traffic you are seeing we can investigate the possibility of a signature.

http://badishi.com/decrypting-poison-ivys-communication-using-code-injection-and-dll-proxies/

jerryshenk · ‎09-28-2013

I can do that. Not today but I'll get it done. BTW, Snort has a signature for it.

manjeets · ‎02-07-2014

Kindly review the below link as well:

http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf