Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Detecting Brazilian Banking Trojans with Snort http_inspect

If you take a look at malware samples down here in Brazil, probably in most of Latin America they target bank users (something around 95% of Brazilian malware is banking trojans).
 
In Brazil, they arget most the common banks such as: Itaú, Bradesco, Caixa Economica Federal, Santander as well as some services as Serasa. It is common for them to use a Proxy Auto Configuration file also known as PAC files.

Here we can see a PAC file sample for a Brazilian banking trojan:

BSL_11768_c8ee3229-00ec-4480-b6f3-3609d465cc77
As we can see they don't want to redirect all traffic to their proxies, only those where they want to steal some information or money.

So how Snort will detect this?


VRT and ET have LOT of rules to detect Trojans/malware but to be honest I'm not the guy that loves signatures (I work with that and I know that's is IMPORTANT) but I'm always looking new ways to detect malicious activities without blacklisting only based on behavior (I've some talks and discussed new ideas such as pdfscore and http header hunter).

I was playing with lot of Snort options and thinking about how to improve detection using snort preprocessor since they are VERY powerful. I had a new idea with an old option: http_inspect proxy_alert.

Some folks who are new to Snort probably never used this option or have no idea that it exist since it's disabled by default. From Snort manual we have:

proxy_alert
This enables global alerting on HTTP server proxy usage. By configuring HTTP Inspect servers and enabling allow proxy use, you will only receive proxy use alerts for web users that aren't using the configured proxies or are using a rogue proxy server. Please note that if users aren't required to configure web proxy use, then you may get a lot of proxy alerts. So, please only use this feature with traditional proxy environments. Blind firewall proxies don't count.

There is an important part of this feature description:

Please note that if users aren't required to configure web proxy use, then you may get a lot of proxy alerts.

Here is the trick to mitigate false-positives in non-traditional proxy environments.

First let's understand the alert generation:

[**] [119:17:1] (http_inspect) UNAUTHORIZED PROXY USE DETECTED [**]
[Classification: Generic Protocol Command Decode] [Priority: 3]
03/06-13:12:47.961755 192.168.201.139:52751 187.109.XXX.XX:80
TCP TTL:64 TOS:0x0 ID:45017 IpLen:20 DgmLen:369 DF
***AP*** Seq: 0x75796FC9 Ack: 0xF6FEFADD Win: 0x3908 TcpLen: 20

We have 3 important pieces of information here:

- Alert GID:SID
- IP Source
- IP Destination

Suppression

Here we could suppress alert sid/gid for all source and destination you are sure its trust proxy . Not sure where could be more powerfull and improve performance but at this moment I have no time for more tests.

Imagine you have a proxy at IP 10.0.0.10

suppress gen_id 119, sig_id 17, track by_dst, ip 10.0.0.10

Note: Beside suppresion you could decrease number of alerts using event_filter for that .

Another way is to create a whitelist for Snort reputation preprocessor with your proxies IPs list . Take a look at Snort documentation for more information about this.

Now as PoC, let's imagine I have been infected by the malware that uses a PAC file. Into my browser I will have:

7776_08441060-5a36-44d2-a452-bd559722fde0

If I request any website not listed it the PAC file it won't get any alert, BUT if I access any bank listed there it will force my browser to use their proxy and I will have an alert like:

Malicious request using proxy
13:30:45.583669 IP 192.168.201.139.55901 > 187.109.161.xxx.xx: Flags [P.], seq 173098222:173098553, ack 3064214781, win 14600, length 331
E..s..@.@........m...].P
QD...4.P.9.w... GET http://www.bradesco.com.br/ HTTP/1.1
Host: www.bradesco.com.br
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive

Here the fake Bradesco page. Pretty similar, no?

8393_2756bf33-2ac6-4f61-926f-fe2c23b7e92e

Try to type http://www.bradesco.com.br/brasil/ and see if it exists =)

Conclusions:

  • Take care using this since could generate False-Positives
  • I'd suggest you to have an exclusive Snort for those testing and if possible for an internal segment kinda of "Snort for malware" since it will probably decrease performance a little when enable. Since 40% of Brazilian malware use this type of action that totally value.
  • Understanding it will help you to mitigate false positives but remember that it's important to retest always since you could add something that all traffic will not generate alerts.
  • Keep using signatures from different sources

Happy Snorting!

Rodrigo "Sp0oKeR" Montoro

@spookerlabs

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More