[Snort-sigs] More on RxBot and IRC traffic

Tom Fischer Tom.Fischer at ...2966...
Sun Jan 23 05:03:07 EST 2005


Hi,

On Sat, Jan 22, 2005 at 01:31:51PM +1300, James Riden wrote:
> Correction, sorry - according to LURHQ, phatbot actually uses a P2P
> system rather than IRC for communication -

Phatbot (based on Agobot) could use both (P2P and IRC)

> So that would give us the following?
> alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Bot Reporting DoS"; content:"PRIVMSG"; nocase; pcre:"/(tcp|syn|udp|ack|ping|icmp)flood ([0-9]{1,3}\.){3}[0-9]{1,3}/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001586; rev:1;)

those commands are not necessary PRIVMSGs (they are often set as a topic)

> alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !80 (msg:"BLEEDING-EDGE Bot Reporting Scan/Exploit"; content:"PRIVMSG"; nocase; pcre:"/(webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|dcass|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"; nocase; within:80; tag:session, 20, packets; classtype:trojan-activity; flow:to_server,established; reference:url,cert.uni-stuttgart.de/doc/netsec/bots.php; reference:url,www.nitroguard.com/rxbot.html; sid:2001584; rev:2;)

dito, not necessary PRIVMSGs, why not
pcre:"/(advscan|asc|xscan|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|dcass|lsass|optix|upnp|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc)/i"
(without content:"PRIVMSG"; nocase;) to capture the other c&c syntax 
(rather than the PRIVMSGs)?

> I've also seen this format from a bot:
> 000 : 50 52 49 56 4D 53 47 20 23 72 65 6C 69 66 65 20   PRIVMSG #relife 
> 010 : 3A 73 63 61 6E 28 6C 73 61 73 73 29 3A 20 72 61   :scan(lsass): ra
> 020 : 6E 64 6F 6D 20 70 6F 72 74 20 73 63 61 6E 20 31   ndom port scan 1
> 030 : 33 30 2E 78 2E 78 2E 78 3A 34 34 35 20 5B 64 65   30.x.x.x:445 [de
> 040 : 6C 61 79 20 31 35 20 73 65 63 5D 20 5B 30 20 6D   lay 15 sec] [0 m
> 050 : 69 6E 5D 20 5B 37 30 20 74 68 72 65 61 64 73 5D   in] [70 threads]
> 060 : 0D 0A                                             ..
> which is why I didn't code the sig to match "advscan lsass" only.

yep, the PRIVMSGs are another (but not the only) way.
--short excerpt of my captured PRIVMSGs:--
[TFTP]: File transfer started to IP: xxx.xxx.xxx.xxx (C:\WINDOWS\System32\x.exe
[TFTP]: File transfer complete to IP: xxx.xxx.xxx.xxx (C:\WINDOWS\System32\x.exe
[FTP]: File transfer complete to IP: xxx.xxx.xxx.xxx (C:\WINDOWS\System32\x.exe
[SCAN]: Sequential Port Scan started on xxx.xxx.xxx.xxx:135 with a delay of 3
seconds for 240 minutes using 100 threads.
[SCAN]: Random Port Scan started on 129.x.x.x:135 with a delay of 4 seconds for 0 minutes using 100 threads
[SCAN]: Random Scanner Avviato : 129.xxx.x.x:135  delay  3 secondi  999 usato 200 threads...
scan(lsass): random port scan xxx.xxx.xxx.xxx 
[lsass]: Exploiting IP: xxx.xxx.xxx.xxx
[lsass_445]: Exploiting IP: xxx.xxx.xxx.xxx
[DDoS]: Flooding: (xxx.xxx.xxx.xxx:337) for 120 seconds
[SYN]: Flooding: (xxx.xxx.xxx.xxx:25) for 500 seconds.
[SYN]: Syn flood stopped.
[UDP]: Sending 29000 packets to xxx.xxx.xxx.xxx. Packet size: 10000, Delay: 1(ms).
[UDP]: Finished sending packets to xxx.xxx.xxx.xxx.
[PING] Ping flood stopped.
[...]
--end of excerpt--
see also http://www.giac.org/practical/GSEC/Chris_Hanna_GSEC.pdf

This could be used as a PRIVMSG rule like:
alert tcp $HOME_NET !21:443 -> $EXTERNAL_NET !25:80 (msg:"BLEEDING-EDGE Bot Reporting PRIVMSGs"; content:"PRIVMSG"; nocase; pcre:"/((\[FTP\]|\[TFTP\]): File transfer (started|complete)|(random|sequential) Port Scan|Random Scanner|Exploiting IP|flooding|flood stopped|sending packets|)/i"; nocase; ...

-- 
Tom Fischer
RUS-CERT University of Stuttgart
Breitscheidstr. 2, D-70174 Stuttgart     http://cert.uni-stuttgart.de/




More information about the Snort-sigs mailing list