mavam/miniduke.bro

## miniduke.bro
@load base/frameworks/notice

module Malware;

export {
  redef enum Notice::Type += {
    ## Miniduke C&C activity.
    Miniduke_CC_Activity
  };
}

redef record HTTP::Info += {
  miniduke: string &optional;
};

function report(c: connection, uri: string)
  {
    local param = split1(uri, /=/)[2];
    local payload = decode_base64(gsub(gsub(param, /-/, "+"), /_/, "/"));
    NOTICE([$note=Miniduke_CC_Activity,
           $msg=fmt("Miniduke C&C activity: %s", payload),
           $conn=c]);
  }

event http_request(c: connection, method: string, original_URI: string,
    unescaped_URI: string, version: string)
  {
    if ( /index\.php\?[[:alnum:]]+=([=-_]|[[:alnum:]])+/ in unescaped_URI )
      c$http$miniduke = unescaped_URI;
  }

event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
  {
    if ( is_orig || ! c$http?$miniduke || /image\/gif/ !in c$http$mime_type )
      return;
    report(c, c$http$miniduke);
    delete c$http$miniduke;
  }
	@load base/frameworks/notice

	module Malware;

	export {
	redef enum Notice::Type += {
	## Miniduke C&C activity.
	Miniduke_CC_Activity
	};
	}

	redef record HTTP::Info += {
	miniduke: string &optional;
	};

	function report(c: connection, uri: string)
	{
	local param = split1(uri, /=/)[2];
	local payload = decode_base64(gsub(gsub(param, /-/, "+"), /_/, "/"));
	NOTICE([$note=Miniduke_CC_Activity,
	$msg=fmt("Miniduke C&C activity: %s", payload),
	$conn=c]);
	}

	event http_request(c: connection, method: string, original_URI: string,
	unescaped_URI: string, version: string)
	{
	if ( /index\.php\?[[:alnum:]]+=([=-_]\|[[:alnum:]])+/ in unescaped_URI )
	c$http$miniduke = unescaped_URI;
	}

	event http_message_done(c: connection, is_orig: bool, stat: http_message_stat)
	{
	if ( is_orig \|\| ! c$http?$miniduke \|\| /image\/gif/ !in c$http$mime_type )
	return;
	report(c, c$http$miniduke);
	delete c$http$miniduke;
	}