Our CERT has issued an advisory warning about a new type of trojan. The CERT folks cannot provide many details about the malware at this point. However, to find compromised systems, they recommend watching for hosts which perform the following steps in the given order:

  1. There is an incoming SSH connection to port 2222.

  2. The host requests a file called download.html from a Web server.

  3. The host initiates two FTP sessions to (potentially different) FTP hosts, requesting one file from each of them. From the first server, a Windows executable is downloaded. From the second one, a ZIP archive is downloaded.

  4. The host joins an IRC channel on some IRC server.

Write a Bro script which monitors all internal hosts for such activity and reports when it detects a hosts doing all of these steps in the correct order.

Run your script on the trace fingerprint.pcap and validate the results. Assume that all hosts in 192.168.0.0/16 are internal and all others are external.

Solution

The complete script fingerprint.bro.

Hints

  • Events which might be of use to solve this: 

    # Generated when a file is transfered via FTP; gives the file's type as
# identified by libmagic (*).
event file_transferred(c: connection, prefix: string, descr: string, mime_type: string)
    # Generated for every client command on an FTP session.
event ftp_request(c: connection, command: string, arg: string)
    # Generated for every HTTP client request.
event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
    # Generated when Bro positively confirms that a protocol is in use. To check
# which analyzers generated the event, check the analyzer type in "atype".
# For SSH, it is "ANALYZER_SSH"; for IRC it is "ANALYZER_IRC".
event protocol_confirmation(c: connection, atype: count, aid: count)

  • Note that file_transferred contains the file type only if libmagic support has been compiled into Bro. So you may or may not be able to use that one.