[unisog] New Bot variants making rounds

James Riden j.riden at massey.ac.nz
Thu Apr 7 03:38:05 GMT 2005


"Cam Beasley, ISO" <cam at austin.utexas.edu> writes:

> Jason --
> 
> 'RogueIRC' may have come from the following 
> EDUCAUSE posting on 2004-JUL-11:
> 
> http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0407&L=security&P=R504
> 5&I=-3 

Think so. I might have sent these to bleeding snort, but couldn't find
the author at the time - apologies for that.

I've also seen things which trigger the following sigs:

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus IRC Trojan Reporting (mssql)"; content:"PRIVMSG"; nocase; content:"mssql"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:1;)

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus IRC Trojan Reporting (file transfer)"; content:"PRIVMSG"; nocase; content:"File transfer complete to IP"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,www.nitroguard.com/rxbot.html; sid:2001585; rev:1;)
 
> Botnets have since evolved, so have our sigs, 
> but these are still somewhat effective.  

Would welcome feedback on the following sig which is in bleeding rules
atm I think, with information gleaned from the page at
http://cert.uni-stuttgart.de/doc/netsec/bots.php :

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus Bot Reporting Scan/Exploit"; content:"PRIVMSG"; nocase; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:2;) 

If this is correct, it should cover the other cases.

cheers,
 Jamie
-- 
James Riden / j.riden at massey.ac.nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/




More information about the unisog mailing list