[Snort-sigs] iroffer IRC P2P Bot signatures

Kevin Kolk kkolk at ...2595...
Tue Jun 29 07:02:03 EDT 2004


I have recently discovered several systems in one of the networks I
manage that have had a variant of the iroffer (http://iroffer.org/)
installed.  This software is available for users to setup their own IRC
based file server however in this case it has been installed without end
users knowledge and basically setup to act as a storage location for
MP3s/Movies.  One of the channels they joined has almost 1000 bots in
the channel.  In the case of the systems discovered with the bot there
is no indication that the user installed it or was activity using it.

Symantec doesn't detect it as a virus however so removal has to be done
manually.   The installation locations used for the program do a fairly
good job of hiding itself but actually keeps log files of it's
activity.  In addition rather then appearing like the typical iroffer
bot they show up as 'lsass.exe' or 'SVCHost.exe' in memory to mask their
processes.   However, closer examination with process explorer shows
that the process titled LSASS.exe doesn't contain the normal 'LSA
Executable' description.

Most of the systems I found were infected in Mid-Late May.  I'm not sure
what the method of infection was, could simply be caused by visiting a
malicious site in IE.  These two signatures will detect it based on
common messages produced by the bot when connected to a channel with
it.  Affected system will be the destination. 

alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help message";
content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70
65 3A 20 22 2F 6D 73 67|"; rawbytes; depth:500; classtype:
trojan-activity; sid:20046250;priority:1; flags:PA;)

alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files
advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|";
rawbytes; depth:500; classtype: trojan-activity;
sid:20046251;priority:1; flags:PA;)

This could of course cause false positives if someone joined an IRC
channel that had one of these bots in it.  However at this point I have
not seen any.

Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040629/b282085b/attachment.html>


More information about the Snort-sigs mailing list