[Snort-sigs] SID 113

Muhammad Faisal Rauf Danka mfrd at ...1354...
Wed Sep 24 00:10:02 EDT 2003

# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# $Id$
special note:
the rule have a typo probably, the source port should be 2140 instead of 4120 according to pertaining arachnids,405 , The rule mentioned below is fixed.

alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113; classtype:misc-activity; rev:5;)  


This alert is due to possibility of an active DeepThroat Trojan/Backdoor.
Possible control over the target machine, theft of data, misuse of resources, installation of malware possibility, thus providing maximum control to the malicious attacker.

Detailed Information:
This is a typical trojan activity, Windows based Operating systems are affected.
Update Antivirus and Trojan Cleaning utilities must be engaged to eradicate it's presence.

Affected Systems:
Windows based operating systems.

Attack Scenarios:
As commonly, the trojan maybe delivered in form of a Win32 executable, via email or other means of online file transfers, such as Instant Messengers and chat rooms. 

Ease of Attack:
Easily available trojan. Intuitive in nature, very easy to use trojan. Updated Antiviruses are essential to prevent and / or get rid of infection.

False Positives:
None known

False Negatives:
None known

Corrective Action:
Update antivirus, and engage trojan cleaning utilities, to disinfect from this trojan.

Muhammad Faisal Rauf Danka <mfrd at ...1354...>

Additional References:


Muhammad Faisal Rauf Danka


More information about the Snort-sigs mailing list