[Snort-sigs] iroffer IRC P2P Bot signatures
mwatchinski at ...435...
Tue Jun 29 09:23:00 EDT 2004
no need for the rawbytes keyword here. content:"| hex|" works just fine.
Kevin Kolk wrote:
> I have recently discovered several systems in one of the networks I
> manage that have had a variant of the iroffer (http://iroffer.org/)
> installed. This software is available for users to setup their own
> IRC based file server however in this case it has been installed
> without end users knowledge and basically setup to act as a storage
> location for MP3s/Movies. One of the channels they joined has almost
> 1000 bots in the channel. In the case of the systems discovered with
> the bot there is no indication that the user installed it or was
> activity using it.
> Symantec doesn't detect it as a virus however so removal has to be
> done manually. The installation locations used for the program do a
> fairly good job of hiding itself but actually keeps log files of it's
> activity. In addition rather then appearing like the typical iroffer
> bot they show up as 'lsass.exe' or 'SVCHost.exe' in memory to mask
> their processes. However, closer examination with process explorer
> shows that the process titled LSASS.exe doesn't contain the normal
> 'LSA Executable' description.
> Most of the systems I found were infected in Mid-Late May. I'm not
> sure what the method of infection was, could simply be caused by
> visiting a malicious site in IE. These two signatures will detect it
> based on common messages produced by the bot when connected to a
> channel with it. Affected system will be the destination.
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help
> message"; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65
> 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; rawbytes; depth:500; classtype:
> trojan-activity; sid:20046250;priority:1; flags:PA;)
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files
> advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|";
> rawbytes; depth:500; classtype: trojan-activity;
> sid:20046251;priority:1; flags:PA;)
> This could of course cause false positives if someone joined an IRC
> channel that had one of these bots in it. However at this point I
> have not seen any.
More information about the Snort-sigs