[Snort-sigs] SID 157

Christopher_Lubrecht at ...381... Christopher_Lubrecht at ...381...
Thu Mar 7 19:32:13 EST 2002

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$

alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1
Client FTP Open Request"; flags: A+; content:"FTPON"; sid:157;
classtype:misc-activity; rev:3;)
Back Construction is a simple remote access trojan, which operates on a
client/server model.  Aside from the trojan, it opens a ftp server which anyone
can use.
This trojan could be very damaging. Sites infected by this trojan could be used as
"WAREZ" hosts, as well as a platform to serve files for a "hacker group"
Detailed Information:
This trojan is fairly simple. It opens a FTP server on port 21, as well as listens
for client connection on ports 5401,5402 and 666.  using this trojan, an attacker
can send email using the victims email, get cached passwords, start/stop the
machine,  as well as use the file explorer. The FTP server could be used to host
"WAREZ" or exploits for access by others as well as the attacker.  This signature
detects the client request to activate the FTP server.
Attack Scenarios:
After activation, the attacker could broadcast the server address, in order to
serve whatever files he/she has placed there. This could impact both server
resources and bandwidth resources.
Ease of Attack:

False Positives:
This signature could be triggered by casual, or legitimate use.
False Negatives:

Corrective Action:
http://www.dark-e.com/archive/trojans/backc/21/index.shtml offers the following
removal instructions

"Remove the Shell key located in the registry at:
HKEY_USERS\.Default\Software\Microsoft\Windows\CurrentVersion\Run\. And the P23H
located at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\General\Settings\. Which can be
done with regedit or any other registry editing program.
Reboot the computer or close the trojan.
Delete the trojan file Cmctl32.exe in the windows directory. "

Christopher Lubrecht chris_lubrecht at ...382...
Additional References:



Any views or opinions are solely those of the
author and do not necessarily represent those
of PR Newswire. The contents are intended
only for the addressee and may contain confidential
and/or privileged material. If you are not the
intended recipient, please do not read, copy,
use or disclose this communication and notify
the sender.

More information about the Snort-sigs mailing list