At the beginning of this month, a new highly evasive malware named SunBurst was disclosed. Measures were immediately made public, especially the release of some Snort/Suricata rules. We analyzed these rules to see if ntop tools could detect and block Sunburst, and the answer is affirmative. Let’s take a look at some rules. The first thing you can observe is that these rules are any/any, which means the IDS has to investigate every connection, as most IDS do not employ DPI like ntop tools, requiring them to search everywhere instead of targeting specific fields: this implies that the overall tool performance will decrease since even unrelated traffic must be analyzed, potentially leading to false positives.
The following rules are essentially TLS SNI (Server Name Indication) matches.
alert tcp any any <> any 443 (msg:”APT.Backdoor.MSIL.SUNBURST”; content:”|16 03|”; depth:2; content:”avsvmcloud.com”; distance:0; sid:77600845; rev:1;)
alert tcp any any <> any 443 (msg:”APT.Backdoor.MSIL.SUNBURST”; content:”|16 03|”; depth:2; content:”|55 04 03|”; distance:0; content:”digitalcollege.org”; within:50; sid:77600846; rev:1;)
alert tcp any any <> any 443 (msg:”APT.Backdoor.MSIL.SUNBURST”; content:”|16 03|”; depth:2; content:”|55 04 03|”; distance:0; content:”freescanonline.com”; within:50; sid:77600847; rev:1;)
You can detect these via nDPI.
Note that as these rules were designed before the use of encrypted traffic, they are suboptimal and quite rudimentary with limited coverage. For instance, see what DPI reports for such TLS traffic:
TCP 192.168.1.102:51293 <-> 20.140.0.1:443 [proto: 91/TLS][cat: Web/5][7 pkts/998 bytes <-> 6 pkts/1553 bytes][Goodput ratio: 52/74][1.74 sec][ALPN: h2;http/1.1][bytes ratio: -0.218 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/109 253/420 1142/1033 447/434][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/259 583/1215 180/428][Risk: ** Self-signed Certificate ** ][TLSv1.2][Client: avsvmcloud.com][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA3S: 364ff14b04ef93c3b4cfa429d729c0d9][Issuer: CN=localhost][Subject: CN=localhost][Certificate SHA-1: D2:D1:B8:2B:15:FB:C9:51:B7:24:FF:56:B4:EF:9D:82:E2:E5:EA:B3][Validity: 2020-10-14 21:20:12 – 2022-12-17 11:32:25][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0]
As you see, it’s a self-signed TLS certificate, which isn’t a good thing.
Other rules like those below are similar but somewhat different:
alert tcp any any -> any any (msg:”APT.Backdoor.MSIL.SUNBURST”; content:”T “; offset:2; depth:3; content:”Host:”; content:”freescanonline.com”; within:100; sid:77600852; rev:1;)
alert tcp any any -> any any (msg:”APT.Backdoor.MSIL.SUNBURST”; content:”T “; offset:2; depth:3; content:”Host:”; content:”deftsecurity.com”; within:100; sid:77600853; rev:1;)
alert tcp any any -> any any (msg:”APT.Backdoor.MSIL.SUNBURST”; content:”T “; offset:2; depth:3; content:”Host:”; content:”thedoccloud.com”; within:100; sid:77600854; rev:1;)
alert tcp any any -> any any (msg:”APT.Backdoor.MSIL.SUNBURST”; content:”T “; offset:2; depth:3; content:”Host:”; content:”virtualdataserver.com”; within:100; sid:77600855; rev:1;)
In this case, these rules basically state: search for HTTP (even on non-standard ports), and if you find a connection pointing to particular websites (e.g., freescanonline.com), trigger an alert.
In summary, these are outdated rules designed for protocols from the year 2000 that need upgrading. Here’s the equivalent for nDPI:
$ cat sunburst.protos
# Format:
# <tcp|udp> :,<tcp|udp> :,…..@
# Subprotocols
# Format:
# host:””,host:””,…..@
#
# IP based Subprotocols
# Format:
# ip:,ip:,…..@
host:”avsvmcloud.com”@APT.Backdoor.MSIL.SUNBURST
host:”digitalcollege.org”@APT.Backdoor.MSIL.SUNBURST
host:”freescanonline.com”@APT.Backdoor.MSIL.SUNBURST
host:”freescanonline.com”@APT.Backdoor.MSIL.SUNBURST
host:”deftsecurity.com”@APT.Backdoor.MSIL.SUNBURST
host:”thedoccloud.com”@APT.Backdoor.MSIL.SUNBURST
host:”virtualdataserver.com”@APT.Backdoor.MSIL.SUNBURST
You can now start ndpiReader as follows:
$ ndpiReader -p sunburst.protos -i ~/avsvmcloud.com.pcap -v 2
…
Detected protocols:
APT.Backdoor.MSIL.SUNBURST packets: 13 bytes: 2551 flows: 1
Protocol statistics:
Acceptable 2551 bytes
JA3 Host Stats:
IP Address # JA3C
1 192.168.1.102 1
1 TCP 192.168.1.102:51293 <-> 20.140.0.1:443 [proto: 91.255/TLS.APT.Backdoor.MSIL.SUNBURST][cat: Web/5][7 pkts/998 bytes <-> 6 pkts/1553 bytes][Goodput ratio: 52/74][1.74 sec][ALPN: h2;http/1.1][bytes ratio: -0.218 (Download)][IAT c2s/s2c min/avg/max/stddev: 0/109 253/420 1142/1033 447/434][Pkt Len c2s/s2c min/avg/max/stddev: 66/66 143/259 583/1215 180/428][Risk: ** Self-signed Certificate **][TLSv1.2][Client: avsvmcloud.com][JA3C: 2a26b1a62e40d25d4de3babc9d532f30][JA3S: 364ff14b04ef93c3b4cfa429d729c0d9][Issuer: CN=localhost][Subject: CN=localhost][Certificate SHA-1: D2:D1:B8:2B:15:FB:C9:51:B7:24:FF:56:B4:EF:9D:82:E2:E5:EA:B3][Validity: 2020-10-14 21:20:12 – 2022-12-17 11:32:25][Cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384][Plen Bins: 33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,33,0,0,0,0,0,0,0,0,0,0,0,0]
You can now use this technique in other tools like ntopng, as shown
ntopng -p sunburst.protos -i ~/avsvmcloud.com.pcap
Then, within ntopng, you must inform it by binding (via menu settings -> applications and categories) that Sunburst is malware and belongs in the malware category.
ntopng detected it as malware
The alert is then triggered.
It can be sent to external apps, messaging apps, ElasticSearch, or SecurityOnion via the endpoint/recipients mechanism.
If you want to not only detect but also block it, simply use ntopng Edge (essentially ntopng inline).
Original Declaration: This article is authorized by the author for Tencent Cloud Developer Community publication, with no reprints allowed without permission.
For infringement, please contact [email protected] for removal.
Security Vulnerability Vulnerability Scanning Service Security Operations Platform http https