Skip to content

Latest commit

 

History

History
51 lines (34 loc) · 1.63 KB

README.md

File metadata and controls

51 lines (34 loc) · 1.63 KB

Suricata rules to detect Winnti communication

This ruleset enables Suricata to detect the handshake of certain Winnti variants as seen in the wild in 2016/2017.

Winnti

Winnti is a malware that is used by some APT groups.

It has been used since at least 2013 and has evolved over time. You can find some information here

Handshake

The driver component of Winnti (aka "NdisReroute") is able to reroute network traffic from ports that are already occupied by legit applications to the malware's userspace component.

The first packet of a TCP stream signals the driver that the stream shall be rerouted. I call such a packet a "Winnti HELO". It is exactly 16 bytes long and the bytes match the following relation:

Winnti handshake Example:

    dw0           dw1           dw2             dw3
5B 44 B4 91   xx xx xx xx   31 18 30 59   [84 C8] {6A 5C}

5B 44 B4 91       ==        31 18 30 59 ^ {6A 5C} [84 C8]
  • dw0 calculated from dw2 and dw3
  • dw1 random but not zero. Only seen timestamps in here but any value works.
  • dw2 random but not zero
  • dw3 random but not zero

Installation

Copy the rules and lua files to your suricata rules directory

cp winnti.lua   /etc/suricata/rules/
cp winnti.rules /etc/suricata/rules/

activate the rules by adding them to suricata.yaml

[...]
rule-files:
 - winnti.rules
[...]