[Snort-sigs] Signatures for the latest rxbot / rbot variant

Christopher Harrington charrington at ...1244...
Thu Aug 12 09:36:04 EDT 2004


All,

Here are a couple of sigs for the latest rbot / rxbot variant. TrendMicro
has identified it as RBOT.GL.

alert tcp $HOME_NET any -> any any (msg:"RXBOT / RBOT Exploit Report";
content:"|5D 3A 20|Exploiting|20|IP|3A 20|"; nocase; classtype:
trojan-activity;  reference:url,www.nitroguard.com/rxbot.html;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_
RBOT.GL; sid:1003620; rev: 1;) 

alert tcp any any -> $HOME_NET any (msg:"RXBOT / RBOT Vulnerability Scan";
content:"|2E|advscan|20|"; nocase; classtype: trojan-activity;
reference:url,www.nitroguard.com/rxbot.html;
reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_
RBOT.GL;
reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning;
sid:1003621; rev: 1;) 

--Chris

--
Christopher Harrington, CISSP
Director of Security Engineering
NitroData Systems, Inc.
603-766-8160, ext. 25
http://www.nitroguard.com







More information about the Snort-sigs mailing list