Pane 1: RINO::Client documentation ==============BEGIN===================== NAME RINO::Client - Perl extension for parsing and handling RINO data SYNOPSIS # using the command line client $ rino -h $ rino -f /tmp/rino.xml -p table $ rino -f /tmp/rino.xml -p csv $ cat /tmp/rino.xml | rino -p json # using the lib use RINO::Client; my @input; while(){ push(@input,$_); } my $iodef_xml = join("",@input); my $rino = RINO::Client->new(iodef => $iodef_xml); print $rino->write_out('table'); print $rino->write_out('csv'); print $rino->write_out('json'); my $simple_hash = $rino->to_simple(); my $complex_hash = $rino->to_hash(); SEE ALSO http://tools.ietf.org/html/rfc5070 http://www.ren-isac.net/notifications/using_iodef.html http://code.google.com/p/collective-intelligence-framework/ XML::IODEF AUTHOR Wes Young, Doug Pearson, COPYRIGHT AND LICENSE Copyright (C) 2011 by Wes Young Copyright (C) 2011 by Doug Pearson Copyright (C) 2010 REN-ISAC and The Trustees of Indiana University This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself, either Perl version 5.10.0 or, at your option, any later version of Perl 5 you may have available. ===============END====================== Pane 2: 'rino' script 'table' output ==============BEGIN===================== IncidentID|Description|Address |DetectTime |Port |Destination |AdditionalData | 2 |Torpig |10.12.103.135|2011-06-05T12:45:49Z| 1386|192.168.7.18| | 2 |Torpig |10.12.103.135|2011-06-05T13:27:32Z| 1046|192.168.7.18| | 1 |Torpig |10.11.212.5 |2011-06-05T01:51:26Z|46200|192.168.7.18| | 1 |Torpig |10.11.212.5 |2011-06-05T01:51:59Z|46155|192.168.7.18| | 1 |Torpig |10.11.212.5 |2011-06-06T00:11:54Z|40062|192.168.3.4 | | 1 |Torpig |10.11.212.5 |2011-06-06T00:12:28Z|48170|192.168.3.4 |{ "comment":"just for illustration of additional data" }| ===============END====================== Pane 3: 'rino' script 'csv' output ==============BEGIN===================== IncidentID,Description,Address,DetectTime,Port,Destination,AdditionalData 2,Torpig,10.12.103.135,2011-06-05T12:45:49Z,1386,192.168.7.18, 2,Torpig,10.12.103.135,2011-06-05T13:27:32Z,1046,192.168.7.18, 1,Torpig,10.11.212.5,2011-06-05T01:51:26Z,46200,192.168.7.18, 1,Torpig,10.11.212.5,2011-06-05T01:51:59Z,46155,192.168.7.18, 1,Torpig,10.11.212.5,2011-06-06T00:11:54Z,40062,192.168.3.4, 1,Torpig,10.11.212.5,2011-06-06T00:12:28Z,48170,192.168.3.4,"{ ""comment"":""just for illustration of additional data"" }" ===============END====================== Pane 4: 'rino' script 'json' output ==============BEGIN===================== [ { "DetectTime":"2011-06-05T12:45:49Z", "Address":"10.12.103.135", "Destination":"192.168.7.18", "Port":"1386", "AdditionalData":null, "Description":"Torpig", "IncidentID":"2" }, { "DetectTime":"2011-06-05T13:27:32Z", "Address":"10.12.103.135", "Destination":"192.168.7.18", "Port":"1046", "AdditionalData":null, "Description":"Torpig", "IncidentID":"2" }, { "DetectTime":"2011-06-05T01:51:26Z", "Address":"10.11.212.5", "Destination":"192.168.7.18", "Port":"46200", "AdditionalData":null, "Description":"Torpig", "IncidentID":"1" }, { "DetectTime":"2011-06-05T01:51:59Z", "Address":"10.11.212.5", "Destination":"192.168.7.18", "Port":"46155", "AdditionalData":null, "Description":"Torpig", "IncidentID":"1" }, { "DetectTime":"2011-06-06T00:11:54Z", "Address":"10.11.212.5", "Destination":"192.168.3.4", "Port":"40062", "AdditionalData":null, "Description":"Torpig", "IncidentID":"1" }, { "DetectTime":"2011-06-06T00:12:28Z", "Address":"10.11.212.5", "Destination":"192.168.3.4", "Port":"48170", "AdditionalData":{"comment":"just for illustration of additional data"}, "Description":"Torpig", "IncidentID":"1" } ] ===============END====================== Pane 5: Data::Dumper 'to_simple' method output ==============BEGIN===================== $VAR1 = [ { 'DetectTime' => '2011-06-05T12:45:49Z', 'Address' => '10.12.103.135', 'Destination' => '192.168.7.18', 'Port' => '1386', 'AdditionalData' => undef, 'Description' => 'Torpig', 'IncidentID' => '2' }, { 'DetectTime' => '2011-06-05T13:27:32Z', 'Address' => '10.12.103.135', 'Destination' => '192.168.7.18', 'Port' => '1046', 'AdditionalData' => undef, 'Description' => 'Torpig', 'IncidentID' => '2' }, { 'DetectTime' => '2011-06-05T01:51:26Z', 'Address' => '10.11.212.5', 'Destination' => '192.168.7.18', 'Port' => '46200', 'AdditionalData' => undef, 'Description' => 'Torpig', 'IncidentID' => '1' }, { 'DetectTime' => '2011-06-05T01:51:59Z', 'Address' => '10.11.212.5', 'Destination' => '192.168.7.18', 'Port' => '46155', 'AdditionalData' => undef, 'Description' => 'Torpig', 'IncidentID' => '1' }, { 'DetectTime' => '2011-06-06T00:11:54Z', 'Address' => '10.11.212.5', 'Destination' => '192.168.3.4', 'Port' => '40062', 'AdditionalData' => undef, 'Description' => 'Torpig', 'IncidentID' => '1' }, { 'DetectTime' => '2011-06-06T00:12:28Z', 'Address' => '10.11.212.5', 'Destination' => '192.168.3.4', 'Port' => '48170', 'AdditionalData' => '{ "comment":"just for illustration of additional data" }', 'Description' => 'Torpig', 'IncidentID' => '1' } ]; ===============END====================== Pane 6: Data::Dumper of 'to_hash' method output ==============BEGIN===================== $VAR1 = { 'xmlns:xsi' => 'http://www.w3.org/2001/XMLSchema-instance', 'version' => '1.0', 'Incident' => [ { 'Contact' => { 'ContactName' => 'REN-ISAC', 'Email' => 'soc@ren-isac.net', 'role' => 'creator', 'Telephone' => '+1 317 274 7228' }, 'Assessment' => { 'Impact' => { 'type' => 'unknown' }, 'Confidence' => { 'rating' => 'high' } }, 'purpose' => 'mitigation', 'EventData' => [ { 'Flow' => { 'System' => { 'Node' => { 'Address' => { 'content' => '10.12.103.135', 'category' => 'ipv4-addr' } }, 'category' => 'source', 'Service' => { 'Port' => '1386' } } }, 'DetectTime' => '2011-06-05T12:45:49Z', 'AdditionalData' => { 'dtype' => 'ext-value', 'ext-dtype' => 'ipv4-addr', 'content' => '192.168.7.18', 'meaning' => 'destination address' } }, { 'Flow' => { 'System' => { 'Node' => { 'Address' => { 'content' => '10.12.103.135', 'category' => 'ipv4-addr' } }, 'category' => 'source', 'Service' => { 'Port' => '1046' } } }, 'DetectTime' => '2011-06-05T13:27:32Z', 'AdditionalData' => { 'dtype' => 'ext-value', 'ext-dtype' => 'ipv4-addr', 'content' => '192.168.7.18', 'meaning' => 'destination address' } } ], 'Description' => 'Torpig', 'IncidentID' => { 'content' => '2', 'name' => 'www.ren-isac.net' } }, { 'Contact' => { 'ContactName' => 'REN-ISAC', 'Email' => 'soc@ren-isac.net', 'role' => 'creator', 'Telephone' => '+1 317 274 7228' }, 'Assessment' => { 'Impact' => { 'type' => 'unknown' }, 'Confidence' => { 'rating' => 'high' } }, 'purpose' => 'mitigation', 'EventData' => [ { 'Flow' => { 'System' => { 'Node' => { 'Address' => { 'content' => '10.11.212.5', 'category' => 'ipv4-addr' } }, 'category' => 'source', 'Service' => { 'Port' => '46200' } } }, 'DetectTime' => '2011-06-05T01:51:26Z', 'AdditionalData' => { 'dtype' => 'ext-value', 'ext-dtype' => 'ipv4-addr', 'content' => '192.168.7.18', 'meaning' => 'destination address' } }, { 'Flow' => { 'System' => { 'Node' => { 'Address' => { 'content' => '10.11.212.5', 'category' => 'ipv4-addr' } }, 'category' => 'source', 'Service' => { 'Port' => '46155' } } }, 'DetectTime' => '2011-06-05T01:51:59Z', 'AdditionalData' => { 'dtype' => 'ext-value', 'ext-dtype' => 'ipv4-addr', 'content' => '192.168.7.18', 'meaning' => 'destination address' } }, { 'Flow' => { 'System' => { 'Node' => { 'Address' => { 'content' => '10.11.212.5', 'category' => 'ipv4-addr' } }, 'category' => 'source', 'Service' => { 'Port' => '40062' } } }, 'DetectTime' => '2011-06-06T00:11:54Z', 'AdditionalData' => { 'dtype' => 'ext-value', 'ext-dtype' => 'ipv4-addr', 'content' => '192.168.3.4', 'meaning' => 'destination address' } }, { 'Flow' => { 'System' => { 'Node' => { 'Address' => { 'content' => '10.11.212.5', 'category' => 'ipv4-addr' } }, 'category' => 'source', 'Service' => { 'Port' => '48170' } } }, 'DetectTime' => '2011-06-06T00:12:28Z', 'AdditionalData' => [ { 'dtype' => 'ext-value', 'ext-dtype' => 'ipv4-addr', 'content' => '192.168.3.4', 'meaning' => 'destination address' }, { 'dtype' => 'ext-value', 'ext-dtype' => 'string', 'content' => 'just for illustration of additional data', 'meaning' => 'comment' } ] } ], 'Description' => 'Torpig', 'IncidentID' => { 'content' => '1', 'name' => 'www.ren-isac.net' } } ], 'xsi:schemaLocation' => 'urn:ietf:params:xmls:schema:iodef-1.0' }; ===============END====================== Pane 7: IODEF source ==============BEGIN===================== 2 Torpig REN-ISACsoc@ren-isac.net+1 317 274 7228 2011-06-05T12:45:49Z
10.12.103.135
1386
192.168.7.18
2011-06-05T13:27:32Z
10.12.103.135
1046
192.168.7.18
1 Torpig REN-ISACsoc@ren-isac.net+1 317 274 7228 2011-06-05T01:51:26Z
10.11.212.5
46200
192.168.7.18
2011-06-05T01:51:59Z
10.11.212.5
46155
192.168.7.18
2011-06-06T00:11:54Z
10.11.212.5
40062
192.168.3.4
2011-06-06T00:12:28Z
10.11.212.5
48170
192.168.3.4 just for illustration of additional data
===============END====================== Pane 8: E-Mail Notification ==============BEGIN===================== Greetings, The following host(s) have been identified as likely compromised with the Trojan Torpig. | Inc # | description | address | timestamp in UTC | s-prt | dest-addr | +-------+-------------+---------------+----------------------+-------+--------------+ | 1 | Torpig | 10.11.212.5 | 2011-06-03T00:12:28Z | 48170 | 192.168.3.4 | | 1 | Torpig | 10.11.212.5 | 2011-06-03T00:11:54Z | 40062 | 192.168.3.4 | | 1 | Torpig | 10.11.212.5 | 2011-06-02T01:51:59Z | 46155 | 192.168.7.18 | | 1 | Torpig | 10.11.212.5 | 2011-06-02T01:51:26Z | 46200 | 192.168.7.18 | | 2 | Torpig | 10.12.103.135 | 2011-06-02T13:27:32Z | 1046 | 192.168.7.18 | | 2 | Torpig | 10.12.103.135 | 2011-06-02T12:45:49Z | 1386 | 192.168.7.18 | +-------+-------------+---------------+----------------------+-------+--------------+ key: s-prt = source port; prtcl = protocol; dest-addr = destination address; d-prt = destination port All the data that we have for each observation is provided. If data such as source port, destination address, etc, is not provided, then we don't have that data. We may have additional observations collected during the reporting period, value depending on multiple factors (NATing, source port availability, etc.) If you feel you've received this report in error, please let us know. Additional information regarding Torpig is provided below. In order for the REN-ISAC to learn how we can best aid the education community with network security matters we'd greatly appreciate hearing back from you regarding action on this incident and how, if at all, this information proved useful. Research and Education Networking ISAC 24x7 Watch Desk: +1(317)274-7228, soc@ren-isac.net http://www.ren-isac.net --------------- Regarding Torpig: Torpig (aka Anserin) is a Trojan that logs keystrokes and steals information entered into certain banking Web sites. Torpig is often dropped as the malicious payload of the Trojan Mebroot[1], a Trojan that modifies the Master Boot Record (MBR) and uses sophisticated rootkit techniques to hide its presence. If Torpig is detected and removed, it is important to also check a system for the presence of Mebroot as it is capable of re-infecting hosts with Torpig when the host boots. Torpig http://www.symantec.com/security_response/writeup.jsp?docid=2005-112315-0608-99 [1] Mebroot http://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99 ---------------- Attachment: The incident data presented above is also provided in IODEF format in the attached file. If you have questions about using the IODEF-formatted data in automated processing with your incident tracking system, see: * http://www.ren-isac.net/notifications/using_iodef.html