tag:blogger.com,1999:blog-4088979.post1787982158118359876..comments2023-10-16T06:06:25.012-04:00Comments on TaoSecurity Blog: Linux Covert Channel Explains Why NSM MattersRichard Bejtlichhttp://www.blogger.com/profile/13512184196416665417noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-4088979.post-74811778952463714372013-11-19T22:46:34.561-05:002013-11-19T22:46:34.561-05:00Emerging threats has an open signature for this:
...Emerging threats has an open signature for this:<br /><br />alert tcp $EXTERNAL_NET any -> any 22 (msg:"ET TROJAN Possible SSH Linux.Fokirtor backchannel command"; flow:established,to_server; content:"|3a 21 3b 2e|"; pcre:"/^(?:[A-Za-z0-9\+\/]{4})*(?:[A-Za-z0-9\+\/]{2}==|[A-Za-z0-9\+\/]{3}=|[A-Za-z0-9\+\/]{4})/R"; reference:url,www.symantec.com/connect/blogs/linux-back-door-uses-covert-communication-protocol; classtype:trojan-activity; sid:2017727; rev:6;)<br /><br />It looks for the special sequence followed by any length base64. <br /><br />We put it out late last week. We don't have a POC so we are not positive it works. If anyone has a pcap or POC, we would appreciate a copy.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4088979.post-47181822023564139932013-11-14T11:23:34.296-05:002013-11-14T11:23:34.296-05:00Eek, not a great indicator. It hit all over the p...Eek, not a great indicator. It hit all over the place for me. Mostly Hulu traffic but also a bit of SSL. <br /><br />The problem is that with having a 4 byte indicator you're only watching for a particular 32bit integer to pass over your network for the indicator to trip. You have a 1 in ~4billion chance of hitting it with every 32 bit int, but streaming a video at 7Mbps is causing nearly 2 million 32bit ints per second so you have a hit pretty quickly (if I did my math right).Seth Hallhttps://www.blogger.com/profile/12496449784833418201noreply@blogger.com