[Snort-sigs] SID 113

Muhammad Faisal Rauf Danka mfrd at ...1354...
Wed Sep 24 00:10:02 EDT 2003


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 
special note:
the rule have a typo probably, the source port should be 2140 instead of 4120 according to pertaining arachnids,405 , The rule mentioned below is fixed.



Rule:  
alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113; classtype:misc-activity; rev:5;)  

--
Sid:
113

--
Summary:
This alert is due to possibility of an active DeepThroat Trojan/Backdoor.
--
Impact:
Possible control over the target machine, theft of data, misuse of resources, installation of malware possibility, thus providing maximum control to the malicious attacker.

--
Detailed Information:
This is a typical trojan activity, Windows based Operating systems are affected.
Update Antivirus and Trojan Cleaning utilities must be engaged to eradicate it's presence.


--
Affected Systems:
Windows based operating systems.
Windows95
Windows98
WindowsNT
Windows2000

--
Attack Scenarios:
As commonly, the trojan maybe delivered in form of a Win32 executable, via email or other means of online file transfers, such as Instant Messengers and chat rooms. 

--
Ease of Attack:
Easily available trojan. Intuitive in nature, very easy to use trojan. Updated Antiviruses are essential to prevent and / or get rid of infection.

--
False Positives:
None known

--
False Negatives:
None known

--
Corrective Action:
Update antivirus, and engage trojan cleaning utilities, to disinfect from this trojan.

--
Contributors:
Muhammad Faisal Rauf Danka <mfrd at ...1354...>

-- 
Additional References:

http://www.whitehats.com/info/IDS405







Regards
--------
Muhammad Faisal Rauf Danka


_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------




More information about the Snort-sigs mailing list