Some APT C&C traffic Snort rules

February 14, 2012 | Jaime Blasco

Commandfive did a great job and published a research document that describes some APT C&C communication protocols used on the SK Communications hack and other recent attacks.

We have written some snort rules to detect the protocols described on the analysis.

We have tested some of them with real traffic from samples but others are based only on the protocols descriptions.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“APT QDIGIT PROTOCOL detected”; flow:to_server,established; content:”|51 31 39 21 00|”; depth:5; reference:url,; classtype:trojan-activity; sid:3000004; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,12345] (msg:“APT UPDATE communicaction protocol detected”; flow:to_server,established; content:“X|2d|Session|3A|”; nocase; http_header; content:“X|2d|Status|3A|”; nocase; http_header; content:“X|2d|Size|3A|”; nocase; http_header; content:“X|2d|Sn|3A|”; nocase; http_header; content:“User|2d|Agent|3a| Mozilla|2f|4|2e|0 |28|compatible|3b| MSIE 6|2e|0|3b| Windows NT 5|2e|1|3b|SV1|3b|”; nocase; http_header; reference:url,; classtype:trojan-activity; sid:3000005; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“APT LURK communication protocol detected”; flow:established,to_server; content:”|4C 55 52 4B 30|”; depth:5; reference:url,; classtype:trojan-activity; sid:3000006; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“APT IP2B communicacion protocol detected”; flow:established,to_server; content:”|12 34 56 78 10 00 10 00|”; depth:8; content:”|00 18 09 07 20|”; distance:4; within:5; reference:url,; classtype:trojan-activity; sid:3000007; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“APT BB communication protocol detected”; flow:established,to_server; content:”|01 00 00 00|”; offset:4; content:”|01 04 01 00|”; distance:8; within:4; reference:url,; classtype:trojan-activity; sid:3000008; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:“APT X-Shell 601 communication protocol detected”; flow:to_server,established; content:”|43 36 30 31|”; offset:16; depth:4; reference:url,; classtype:trojan-activity; sid:3000009; rev:1;)

The Backdoor.Murcy traffic is already covered by “ETPRO TROJAN Backdoor.Win32.Murcy.A Checkin”.

The rules will be included on the EmergingThreats [no longer available] feed and Alienvault feed.

Jaime Blasco

About the Author: Jaime Blasco

Jaime Blasco is a renowned Security Researcher with broad experience in network security, malware analysis and incident response. At AT&T Cybersecurity, Jaime leads the Alien Labs Intelligence and Research team that leads the charge of researching and integrating threat intelligence into detection mechanisms. Prior to working at AT&T, Jaime was Chief Scientist at AlienVault. Prior to that, he founded a couple of startups (Eazel, Aitsec) working on web application security, source code analysis and incident response. He is based in San Francisco. Jaime's work in emerging threats and targeted attacks is frequently cited in international publications such as New York Times, BBC, Washington Post and Al Jazeera.

Read more posts from Jaime Blasco ›


Watch a demo ›
Get price Free trial