sud0woodo

Network Analysis, Network Detection, Networking

Detecting the SpeakUp Trojan using Snort

sud0woodo

On February 4th, Check Point Research released a post about a new undetected Trojan that was part of a new campaign, exploiting Linux servers. Check Point Research dubbed this Trojan ‘SpeakUp’.

The Trojan exploits known vulnerabilities in six different Linux distributions. The malware developer was correlated with ‘Zettabit’ due to it having a lot in common with Zettabit’s craftmanship.

I will not go into the full technical details of the Trojan itself since Check Point Research already has an excellent post about this Trojan, instead I want to share the Snort rule I wrote which uses the IOC’s provided by Check Point Research to detect the User-Agent that is being used by the Trojan.

Please note that the User-Agent is a post-exploitation IOC, when this network behavior is observed it could indicate a successful infection of the endpoint.

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"Possible SpeakUp C2 User-Agent Observed"; flow:to_server,established; content:"User-Agent|3a| "; http_header; fast_pattern:only; pcre:"/User-Agent\: ([0-9A-Z]{32})|(Mozilla\/5\.0 \(iPad\; U\; CPU OS 3\_2\_1 like Mac OS X\; en\-us\) AppleWebkit\/531\.21\.10 \(KHTML\, like Gecko\) Mobile\/7B405)|(Mozilla\/5\.0 \(iPad\; U\; CPU OS 3\_2\_1 like Mac OS X\; en\-us\) AppleWebkit\/531\.21\.10 \(KHTML\, like Gecko\) Mobile\/BADDAD)/i"; reference:url,research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/; sid:1337; rev:1;)

Want to write your own Snort rules? Snort got some excellent documentation!

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top