[Snort-sigs] (no subject)

Leonardo Alcantara leonardo at ...530...
Fri Apr 19 18:05:04 EDT 2002


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  
alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flags: A+; content:"Girl"; reference:arachnids,98; sid:145;  classtype:misc-activity; rev:3)

--
Sid: 145

--
Summary:
Efective connection on a trojan server running on a Microsoft Windows workstation in your internal network.

--
Impact:
The attacker may send messages, execute remote comands, eavesdrop text boxes and 
manipulate files. It's speciality is an offline password logger.

--
Detailed Information:
This backdoor usually drops the WINDLL.EXE in your Windows directory. Than it updates the registry including
the following entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WINDLL.EXE = "C:\WINDOWS\WINDLL>EXE
" 
The trojan stays resident in memory as a service process until next boot. Though it is invisible in
Microsoft Windows 9x series.
--
Attack Scenarios:
This trojan infects Microsoft Windows systems. 
--
Ease of Attack:
The user has to execute the malicious code on the local machine. Once installed the client
easily connect to the trojan server.
--
False Positives:
Conection to a webserver in a non-standard port (for example 8080) that serves a object that contains the 
word girl and happens to use the client port 21554 by chance.

--
False Negatives:
The rule expects the "Girl" string in the data stream and the conection established on the port 21554. Modified version
could open other port or exchange different stream of data. None reported until now.

--
Corrective Action:
Boot the infected machine. The trojan will not be active in the next boot. Scan the disk with
your prefered antivirus software with a update pattern.

--
Contributors:
Leonardo Alcantara
-- 
Additional References:
http://www.whitehats.com/info/IDS98
http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=BKDR_GIRLFRIEND&VSect=T


More information about the Snort-sigs mailing list