[Snort-sigs] Phatbot Sigs

Dan Michitsch dmichitsch at ...2066...
Wed Mar 17 13:30:02 EST 2004


As reported by http://slashdot.org/ there is a trojan spreading rapidly
on Windows, so I thought others might benefit from a couple of sigs for
it.

alert tcp any any -> any any (msg:"Agobot/Phatbot Infection
Successful"; flow:established; content:"221 Goodbye, have a good
infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity;
reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)

alert tcp any any -> any any (msg:"Phatbot P2P Control Connection";
flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15;
classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html;
sid:1000076; rev:1;) 



Daniel Michitsch
CCSA NG, MCSE
Network and Systems Engineer
Legislative Internet Technology Team
100 N. Capitol Avenue
P.O. Box 30014
Lansing, Michigan 48909-7514
(517)373-0522
dmichitsch at ...2066...




More information about the Snort-sigs mailing list