[Snort-sigs] iroffer IRC P2P Bot signatures

Matthew Jonkman matt at ...2436...
Tue Jun 29 18:01:00 EDT 2004


So would these be accurate rules then Matt W:

alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help message"; 
content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 20 74 79 70 
65 3A 20 22 2F 6D 73 67|"; depth:500; classtype: trojan-activity; 
sid:20046250;priority:1; flags:PA;)

alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files 
advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; 
depth:500; classtype: trojan-activity; sid:20046251; priority:1; flags:PA;)

If so I'll get them up on bleeding.

Thanks



Matthew Watchinski wrote:

> no need for the rawbytes keyword here.  content:"| hex|" works just fine.
> 
> Cheers,
> -matt
> 
> Kevin Kolk wrote:
> 
>> I have recently discovered several systems in one of the networks I 
>> manage that have had a variant of the iroffer (http://iroffer.org/) 
>> installed.  This software is available for users to setup their own 
>> IRC based file server however in this case it has been installed 
>> without end users knowledge and basically setup to act as a storage 
>> location for MP3s/Movies.  One of the channels they joined has almost 
>> 1000 bots in the channel.  In the case of the systems discovered with 
>> the bot there is no indication that the user installed it or was 
>> activity using it.
>>
>> Symantec doesn't detect it as a virus however so removal has to be 
>> done manually.   The installation locations used for the program do a 
>> fairly good job of hiding itself but actually keeps log files of it's 
>> activity.  In addition rather then appearing like the typical iroffer 
>> bot they show up as 'lsass.exe' or 'SVCHost.exe' in memory to mask 
>> their processes.   However, closer examination with process explorer 
>> shows that the process titled LSASS.exe doesn't contain the normal 
>> 'LSA Executable' description.
>>
>> Most of the systems I found were infected in Mid-Late May.  I'm not 
>> sure what the method of infection was, could simply be caused by 
>> visiting a malicious site in IE.  These two signatures will detect it 
>> based on common messages produced by the bot when connected to a 
>> channel with it.  Affected system will be the destination.
>>
>> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help 
>> message"; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 
>> 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; rawbytes; depth:500; classtype: 
>> trojan-activity; sid:20046250;priority:1; flags:PA;)
>>
>> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files 
>> advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; 
>> rawbytes; depth:500; classtype: trojan-activity; 
>> sid:20046251;priority:1; flags:PA;)
>>
>> This could of course cause false positives if someone joined an IRC 
>> channel that had one of these bots in it.  However at this point I 
>> have not seen any.
>>
>> Kevin 
> 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email sponsored by Black Hat Briefings & Training.
> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
> self defense, top technical experts, no vendor pitches, unmatched 
> networking opportunities. Visit www.blackhat.com
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

-- 
--------------------------------------------
Matthew Jonkman, CISSP
Senior Security Engineer
Infotex
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC
my.infotex.com
www.offsitefilter.com
--------------------------------------------


NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.




More information about the Snort-sigs mailing list