[Snort-sigs] Egobot

Nick Randolph drandolph at ...435...
Tue Oct 15 12:05:09 EDT 2013


Looking at the screenshot they used to show the outbound request it looks
like sid:19165 might catch this but, since they provided a screenshot I
can't tell if the 0x20 is present at the end of the user-agent string and
it doesn't look like they provided a hash either.

The %s indicates a string variable so the '/micro/advice.php' and the
'1irst' are probably not static. Something like
content:"arg1="; http_uri; content:"arg2="; distance:0; http_uri;
should catch what you're looking for.



On Tue, Oct 15, 2013 at 10:02 AM, James Lay <jlay at ...3266...>wrote:

> I may have missed something...it IS early in the AM after all ;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"MALWARE-OTHER Win32.EgoBot CnC traffic"; ;
> flow:to_server,established;
> content:"|2f|micro|2f|advice.php|3f|arg1=1irst|26|arg2="; http_uri;
> fast_pattern:only; metadata:policy balanced-ips drop, policy
> security-ips drop, service http, ruleset community;
> reference:url,
> www.symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign
> ;
> classtype:trojan-activity; sid:10000105; rev:1;)
>
> James
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph at ...435...
Sourcefire.com <http://www.sourcefire.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131015/6d316f05/attachment.html>


More information about the Snort-sigs mailing list