[Snort-sigs] db entry for sid 157

Patrick Sarnacke pbsarnac at ...409...
Wed Mar 6 07:49:05 EST 2002


This sig was already queued, but since I had a copy of the trojan, I decided 
to take a whack at it anyway. This is my first attempt at one of these, so 
please let me know if I should include more/less/different info.


Rule:
alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 
2.1 Client FTP Open Request"; flags: A+; content:"FTPON"; sid:157; 
classtype:misc-activity; rev:3;) 
--
Sid:
157
--
Summary:
This signature indicates that a BackConstruction client has activated the FTP 
server on a trojaned Windows machine on $HOME_NET.
--
Impact:
A remote attacker can download files from the trojaned machine.
--
Detailed Information:
BackConstruction is a simple Windows backdoor trojan that allows file 
browsing, manipulation,and download; remote application launching and 
killing; chat; and remote system crash, shutdown, and reboot. This particular 
signature indicates that the BackConstruction client on an attacker's machine 
has sent an instruction to the infected machine (which is running the 
BackConstruction server) to enable FTP. The client can now download files 
from the trojaned machine's hard drive(s).
--
Attack Scenarios:
This trojan can be distributed through any of the normal means. Once 
installed, any attacker can connect at leisure, as long as she knows the IP 
address and has access to ports 21, 666,  5401 and 5402.
--
Ease of Attack:
Once the trojan is installed, as long as the IP address is known and the 
necessary ports are available to the attacker, attack is extremely easy.
--
False Positives:

--
False Negatives:

--
Corrective Action:
Mitigation:
Block inbound ports 21, 666, 5401, and 5402 at the firewall, or install a 
host-based firewall to block the same ports.
Removal:
Remove the file c:\windows\cmctl32.exe. Delete the registry key:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Shell=""C:\WINDOWS\Cmctl32.exe"
Reboot the infected machine to kill the running instance of the trojan.

[Removal instructions from http://www.tlsecurity.net]
--
Contributors:

--
Additional References:
Packet dump:
0000  00 50 56 ff ae cb 00 50  56 fe 18 10 08 00 45 00   .PVÿ®Ë.P Vþ....E.
0010  00 2e d3 01 40 00 80 06  d1 6c c0 a8 ea 84 c0 a8   ..Ó. at ...253... ÑlÀšê.Àš
0020  ea 85 04 0c 02 9a 00 38  bb c2 00 64 b1 e7 50 18   ê......8 »Â.d±çP.
0030  22 18 dd a2 00 00 46 54  50 4f 4e 20               ".Ý¢..FT PON     





More information about the Snort-sigs mailing list