[unisog] New Bot variants making rounds

Tom Fischer Fischer at CERT.Uni-Stuttgart.DE
Thu Apr 7 14:32:32 GMT 2005


Hi,

On Thu, Apr 07, 2005 at 03:38:05PM +1200, James Riden wrote:
> Would welcome feedback on the following sig which is in bleeding rules
> atm I think, with information gleaned from the page at
> http://cert.uni-stuttgart.de/doc/netsec/bots.php :
> alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Virus Bot Reporting Scan/Exploit"; content:"PRIVMSG"; nocase; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:2;) 
> If this is correct, it should cover the other cases.

this one is incorrect (not necessary PRIVMSGs and wrong direction;)

Up to date bleedingsnort excerpt [1]:

#From Tomfi
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN potential update/download IRC Bot command"; pcre:"/((upda|getfile|dl|download) http\://|http\.(execute|download|update)|ftp\.(execute|download|update))/i"; flow:established; classtype:trojan-activity; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.honeynet.org/papers/bots/; sid:2001786; rev:4;)

alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN IRC Bot scan/exploit command"; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|!scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup))/i"; flow:established; classtype:trojan-activity; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.honeynet.org/papers/bots/; sid:2001787; rev:7;)

alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN IRC Bot DDoS command"; pcre:"/(floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3)|(syn|udp) ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3}|ddos\.(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; flow:established; classtype:trojan-activity; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.honeynet.org/papers/bots/; sid:2001788; rev:6;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"BLEEDING-EDGE TROJAN Suspicious IRC Bot response"; content:"PRIVMSG"; nocase; pcre:"/([(FTP|TFTP)]\: File transfer|(random|sequential) Port Scan|Random Scanner|Exploiting IP|Exploiting\.\.|flooding\:|flood stopped|sending packets)/i"; flow:established; classtype:trojan-activity; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.honeynet.org/papers/bots/; sid:2001789; rev:7;)

[1] http://www.bleedingsnort.com/bleeding-all.rules

-- 
Tom Fischer                              Fischer at cert.uni-stuttgart.de
RUS-CERT University of Stuttgart    Tel:+49 711 121-3676 / -3688 (fax)
Breitscheidstr. 2, D-70174 Stuttgart     http://cert.uni-stuttgart.de/


More information about the unisog mailing list