[Snort-sigs] More on RxBot and IRC traffic

James Riden j.riden at ...1766...
Fri Jan 21 16:33:02 EST 2005


Tom Fischer <Tom.Fischer at ...2966...> writes:

> Hi,
>
> On Sat, Jan 15, 2005 at 02:23:01PM +1300, James Riden wrote:
>> I found an interesting web page
>> http://cert.uni-stuttgart.de/doc/netsec/bots.php which lists some
>> signatures for IRC communications from Agobot/Phatbot/RxBot.

Correction, sorry - according to LURHQ, phatbot actually uses a P2P
system rather than IRC for communication -
http://www.lurhq.com/phatbot.html - also gives some snort sigs for the
P2P control and for phatbot infection.

> yep :-) btw. I've added some new signatures to the mentioned web page
> e.g:
> (tcp|syn|udp|ack|ping|icmp)flood ([0-9]{1,3}\.){3}[0-9]{1,3}

Thanks! I think your sigs cover a lot more bases than the old ones we
had.

So that would give us the following?

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Bot Reporting DoS"; content:"PRIVMSG"; nocase; pcre:"/(tcp|syn|udp|ack|ping|icmp)flood ([0-9]{1,3}\.){3}[0-9]{1,3}/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001586; rev:1;)

> or advscan dcass (combination of lsass and dcom scanning method)

which would make the old sig:

alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Bot Reporting Scan/Exploit"; content:"PRIVMSG"; nocase; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|dcass|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:2;)
  
>> (You can get google to translate from the German, but the signatures
>> don't survive too well, so make to look at them in the original.)
>
> need for a English version of this page?

I can just about get by with my limited German, thanks, but I'm sure
some others would appreciate it.

> If those rules produce to many false positives it would be an option to
> add additional parameters like
> advscan lsass [0-9]{1,4} [0-9]{1,4} [0-9]{1,4}
> (cause the syntax is advscan <method> <threads> <delay> <length>,
> e.g. advscan lsass 100 5 0)

I've also seen this format from a bot:

000 : 50 52 49 56 4D 53 47 20 23 72 65 6C 69 66 65 20   PRIVMSG #relife 
010 : 3A 73 63 61 6E 28 6C 73 61 73 73 29 3A 20 72 61   :scan(lsass): ra
020 : 6E 64 6F 6D 20 70 6F 72 74 20 73 63 61 6E 20 31   ndom port scan 1
030 : 33 30 2E 78 2E 78 2E 78 3A 34 34 35 20 5B 64 65   30.x.x.x:445 [de
040 : 6C 61 79 20 31 35 20 73 65 63 5D 20 5B 30 20 6D   lay 15 sec] [0 m
050 : 69 6E 5D 20 5B 37 30 20 74 68 72 65 61 64 73 5D   in] [70 threads]
060 : 0D 0A                                             ..

which is why I didn't code the sig to match "advscan lsass" only.

cheers,
 Jamie
-- 
James Riden / j.riden at ...1766... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/






More information about the Snort-sigs mailing list