[Oisf-devel] SMTP MIME-decoder lower-cases URLs

Chris Wakelin c.d.wakelin at reading.ac.uk
Fri Jan 16 19:21:20 UTC 2015 

Hi,

I've been trying out the new SMTP decoder options in Suricata dev. It's
doing very useful work extracting metadata and URIs from e-mail messages
floating past, but unfortunately it's set to lower-case the latter which
has led to me wasting some time when trying to analyse some of the
recent Upatre (-> Dyre banking trojan) links in e-mails (that are
otherwise hard to spot).

Is there a good reason for this behaviour?

The relevant code in src/util-decode-mime.c

>                 /* Copy over to temp URL while decoding */
>                 tempUrlLen = 0;
>                 for (i = 0; i < tokLen && tok[i] != 0; i++) {
> 
>                     // URL decoding would probably go here
> 
>                     /* url is all lowercase */
>                     tempUrl[tempUrlLen] = tolower(tok[i]);
>                     tempUrlLen++;
>                 }
> 
>                 /* Determine if URL points to an EXE */
>                 if (IsExeUrl(tempUrl, tempUrlLen)) {

suggests it is deliberate!

Best Wishes,
Chris

Typical eve.json entry (anonymised/defanged a bit):

{"timestamp":"2015-01-16T13:37:20.039040",
"flow_id":9690432896,"in_iface":"zc:1 at 12","event_type":"smtp",
"src_ip":"213.199.154.77","src_port":6324,
"dest_ip":"134.225.1.90","dest_port":25,"proto":"TCP",
"smtp":{"from":"<donotreply at iloydsbank[.]co[.]uk>",
"to":["<someone at reading.ac.uk>"],
"subject":"Important information about your account",
"url":["mail.itpix.org/hxxp://nexttopmodelinternational[.]com/lloyds_bank_notification/cservices.html",
"www.lloydsbank.com/media/lloydsbank/promotional_images/nick-williams-signature.gif",
"nexttopmodelinternational.com/lloyds_bank_notification/cservices.html",
"www.lloydsbank.com/media/lloydsbank/common/application_emails/ltsb-horiz.gif",
"www.lloydsbank.com/media/lloydsbank/common/application_emails/spacer.gif"]}}

The malicious URLs actually had "/LLOYDS_BANK_NOTIFICATION/" in them.

Best Wishes,
Chris

P.S. This was running git master as of 14th January - I've just upgraded
to yesterday's :-)

-- 
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 2908
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-devel mailing list