[Snort-sigs] iroffer IRC P2P Bot signatures

Matthew Watchinski mwatchinski at ...435...
Tue Jun 29 09:23:00 EDT 2004

no need for the rawbytes keyword here.  content:"| hex|" works just fine.


Kevin Kolk wrote:

> I have recently discovered several systems in one of the networks I 
> manage that have had a variant of the iroffer (http://iroffer.org/) 
> installed.  This software is available for users to setup their own 
> IRC based file server however in this case it has been installed 
> without end users knowledge and basically setup to act as a storage 
> location for MP3s/Movies.  One of the channels they joined has almost 
> 1000 bots in the channel.  In the case of the systems discovered with 
> the bot there is no indication that the user installed it or was 
> activity using it.
> Symantec doesn't detect it as a virus however so removal has to be 
> done manually.   The installation locations used for the program do a 
> fairly good job of hiding itself but actually keeps log files of it's 
> activity.  In addition rather then appearing like the typical iroffer 
> bot they show up as 'lsass.exe' or 'SVCHost.exe' in memory to mask 
> their processes.   However, closer examination with process explorer 
> shows that the process titled LSASS.exe doesn't contain the normal 
> 'LSA Executable' description.
> Most of the systems I found were infected in Mid-Late May.  I'm not 
> sure what the method of infection was, could simply be caused by 
> visiting a malicious site in IE.  These two signatures will detect it 
> based on common messages produced by the bot when connected to a 
> channel with it.  Affected system will be the destination.
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help 
> message"; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 
> 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; rawbytes; depth:500; classtype: 
> trojan-activity; sid:20046250;priority:1; flags:PA;)
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files 
> advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; 
> rawbytes; depth:500; classtype: trojan-activity; 
> sid:20046251;priority:1; flags:PA;)
> This could of course cause false positives if someone joined an IRC 
> channel that had one of these bots in it.  However at this point I 
> have not seen any.
> Kevin 

More information about the Snort-sigs mailing list