Detecting Brazilian Banking Trojans with Snort http_inspect

If you take a look at malware samples down here in Brazil, probably in most of Latin America they target bank users (something around 95% of Brazilian malware is banking trojans).
In Brazil, they arget most the common banks such as: Itaú, Bradesco, Caixa Economica Federal, Santander as well as some services as Serasa. It is common for them to use a Proxy Auto Configuration file also known as PAC files.

Here we can see a PAC file sample for a Brazilian banking trojan:

Pac
As we can see they don't want to redirect all traffic to their proxies, only those where they want to steal some information or money.

So how Snort will detect this?


VRT and ET have LOT of rules to detect Trojans/malware but to be honest I'm not the guy that loves signatures (I work with that and I know that's is IMPORTANT) but I'm always looking new ways to detect malicious activities without blacklisting only based on behavior (I've some talks and discussed new ideas such as pdfscore and http header hunter).

I was playing with lot of Snort options and thinking about how to improve detection using snort preprocessor since they are VERY powerful. I had a new idea with an old option: http_inspect proxy_alert.

Some folks who are new to Snort probably never used this option or have no idea that it exist since it's disabled by default. From Snort manual we have:

proxy_alert
This enables global alerting on HTTP server proxy usage. By configuring HTTP Inspect servers and enabling allow proxy use, you will only receive proxy use alerts for web users that aren't using the configured proxies or are using a rogue proxy server. Please note that if users aren't required to configure web proxy use, then you may get a lot of proxy alerts. So, please only use this feature with traditional proxy environments. Blind firewall proxies don't count.

There is an important part of this feature description:

Please note that if users aren't required to configure web proxy use, then you may get a lot of proxy alerts.

Here is the trick to mitigate false-positives in non-traditional proxy environments.

First let's understand the alert generation:

[**] [119:17:1] (http_inspect) UNAUTHORIZED PROXY USE DETECTED [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
03/06-13:12:47.961755 192.168.201.139:52751 187.109.XXX.XX:80
TCP TTL:64 TOS:0x0 ID:45017 IpLen:20 DgmLen:369 DF
***AP*** Seq: 0x75796FC9 Ack: 0xF6FEFADD Win: 0x3908 TcpLen: 20

We have 3 important pieces of information here:

- Alert GID:SID
- IP Source
- IP Destination

Suppression

Here we could suppress alert sid/gid for all source and destination you are sure its trust proxy . Not sure where could be more powerfull and improve performance but at this moment I have no time for more tests.

Imagine you have a proxy at IP 10.0.0.10

suppress gen_id 119, sig_id 17, track by_dst, ip 10.0.0.10

Note: Beside suppresion you could decrease number of alerts using event_filter for that .

Another way is to create a whitelist for Snort reputation preprocessor with your proxies IPs list . Take a look at Snort documentation for more information about this.

Now as PoC, let's imagine I have been infected by the malware that uses a PAC file. Into my browser I will have:

Proxy

If I request any website not listed it the PAC file it won't get any alert, BUT if I access any bank listed there it will force my browser to use their proxy and I will have an alert like:

Malicious request using proxy
13:30:45.583669 IP 192.168.201.139.55901 > 187.109.161.xxx.xx: Flags [P.], seq 173098222:173098553, ack 3064214781, win 14600, length 331
E..s..@.@........m...].P
QD...4.P.9.w... GET http://www.bradesco.com.br/ HTTP/1.1
Host: www.bradesco.com.br
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive

Here the fake Bradesco page. Pretty similar, no?

Fakepage

Try to type http://www.bradesco.com.br/brasil/ and see if it exists =)

Conclusions:

  • Take care using this since could generate False-Positives
  • I'd suggest you to have an exclusive Snort for those testing and if possible for an internal segment kinda of "Snort for malware" since it will probably decrease performance a little when enable. Since 40% of Brazilian malware use this type of action that totally value.
  • Understanding it will help you to mitigate false positives but remember that it's important to retest always since you could add something that all traffic will not generate alerts.
  • Keep using signatures from different sources

Happy Snorting!

Rodrigo "Sp0oKeR" Montoro

@spookerlabs

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.