[Snort-sigs] iroffer IRC P2P Bot signatures

Matthew Watchinski mwatchinski at ...435...
Tue Jun 29 20:34:14 EDT 2004


With the addition of Nigel's suggestions they are well formed :).  If 
that hex string is actually at the location you outline in the rule and 
isn't easily evadable then they are accurate.  :)

Side note:  For readability normally ASCII chars aren't represented in 
hex notation. 

IE

content:"To request a file type: |22|/msg"; is a bit easier to read

Cheers,
-matt

Matthew Jonkman wrote:

> So would these be accurate rules then Matt W:
>
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help 
> message"; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 65 
> 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; depth:500; classtype: 
> trojan-activity; sid:20046250;priority:1; flags:PA;)
>
> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered files 
> advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 64 3A|"; 
> depth:500; classtype: trojan-activity; sid:20046251; priority:1; 
> flags:PA;)
>
> If so I'll get them up on bleeding.
>
> Thanks
>
>
>
> Matthew Watchinski wrote:
>
>> no need for the rawbytes keyword here.  content:"| hex|" works just 
>> fine.
>>
>> Cheers,
>> -matt
>>
>> Kevin Kolk wrote:
>>
>>> I have recently discovered several systems in one of the networks I 
>>> manage that have had a variant of the iroffer (http://iroffer.org/) 
>>> installed.  This software is available for users to setup their own 
>>> IRC based file server however in this case it has been installed 
>>> without end users knowledge and basically setup to act as a storage 
>>> location for MP3s/Movies.  One of the channels they joined has 
>>> almost 1000 bots in the channel.  In the case of the systems 
>>> discovered with the bot there is no indication that the user 
>>> installed it or was activity using it.
>>>
>>> Symantec doesn't detect it as a virus however so removal has to be 
>>> done manually.   The installation locations used for the program do 
>>> a fairly good job of hiding itself but actually keeps log files of 
>>> it's activity.  In addition rather then appearing like the typical 
>>> iroffer bot they show up as 'lsass.exe' or 'SVCHost.exe' in memory 
>>> to mask their processes.   However, closer examination with process 
>>> explorer shows that the process titled LSASS.exe doesn't contain the 
>>> normal 'LSA Executable' description.
>>>
>>> Most of the systems I found were infected in Mid-Late May.  I'm not 
>>> sure what the method of infection was, could simply be caused by 
>>> visiting a malicious site in IE.  These two signatures will detect 
>>> it based on common messages produced by the bot when connected to a 
>>> channel with it.  Affected system will be the destination.
>>>
>>> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot help 
>>> message"; content:"|54 6F 20 72 65 71 75 65 73 74 20 61 20 66 69 6C 
>>> 65 20 74 79 70 65 3A 20 22 2F 6D 73 67|"; rawbytes; depth:500; 
>>> classtype: trojan-activity; sid:20046250;priority:1; flags:PA;)
>>>
>>> alert tcp any 6667 -> any any ( msg:"P2P iroffer IRC Bot offered 
>>> files advertisement"; content:"|54 6F 74 61 6C 20 4F 66 66 65 72 65 
>>> 64 3A|"; rawbytes; depth:500; classtype: trojan-activity; 
>>> sid:20046251;priority:1; flags:PA;)
>>>
>>> This could of course cause false positives if someone joined an IRC 
>>> channel that had one of these bots in it.  However at this point I 
>>> have not seen any.
>>>
>>> Kevin 
>>
>>
>>
>>
>>
>>
>> -------------------------------------------------------
>> This SF.Net email sponsored by Black Hat Briefings & Training.
>> Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital 
>> self defense, top technical experts, no vendor pitches, unmatched 
>> networking opportunities. Visit www.blackhat.com
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>





More information about the Snort-sigs mailing list