[Snort-sigs] More on RxBot and IRC traffic

James Riden j.riden at ...1766...
Fri Jan 14 17:24:27 EST 2005


Hi there, 

I found an interesting web page
http://cert.uni-stuttgart.de/doc/netsec/bots.php which lists some
signatures for IRC communications from Agobot/Phatbot/RxBot.

(You can get google to translate from the German, but the signatures
don't survive too well, so make to look at them in the original.)

<quote>
# localscan (?)
# (ntscan|ntstop|gigaload) (?)
# {http|ftp}\.execute (Agobot/Phatbot)
# bot\.(command|execute|flushdns) (Agobot/Phatbot)
# redirect ([0-9]{1,4}) (SpYboT)
# redirect\.(gre|http|https|socks|socks5|stop|tcp) (Agobot/Phatbot)
# scan\.((start|stop)(all)?|stats|(dis|en)able|(clear|reset|list|del|add)netrange) (Agobot/Phatbot)
# {syn|udp} ([0-9]{1,3}\.){3}[0-9]{1,3} (SDBot)
# ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3) (Agobot/Phatbot)
# !scan ([0-9]{1,3}\.) (GTBot)
# (advscan|asc|xscan|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp) (rBot/rxBot)
# (advscan|asc|xscan|adv\.start) (beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc) (rBot/rxBot)
# ddos\.(syn|ack|random) (rBot/rxBot)
</quote>

So, to make SID 2001584 a bit more comprehensive, I think we could do:

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Bot Reporting Scan/Exploit"; content:"PRIVMSG"; nocase; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:1;)

And to cover the DDoS sigs:

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Bot Reporting/Commencing DDoS"; content:"PRIVMSG"; nocase; pcre:"ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3|syn|ack|random)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001586; rev:1;)

NB: This is the first time I've written pcre, so feedback is most welcome.

I've also seen variations which are (should be :) covered in the first
sig which the web page sigs don't cover - e.g. packets starting
"PRIVMSG #channel:scan(lsass): random scan"... - which is why it's
slightly different.

cheers,
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-sigs mailing list