[Snort-sigs] Egobot

James Lay jlay at ...3266...
Tue Oct 15 12:13:10 EDT 2013


On 2013-10-15 10:05, Nick Randolph wrote:
> Looking at the screenshot they used to show the outbound request it
> looks like sid:19165 might catch this but, since they provided a
> screenshot I cant tell if the 0x20 is present at the end of the
> user-agent string and it doesnt look like they provided a hash 
> either.
>
> The %s indicates a string variable so the /micro/advice.php and the
> 1irst are probably not static. Something like
> content:"arg1="; http_uri; content:"arg2="; distance:0; http_uri;
>  should catch what youre looking for.
>
> On Tue, Oct 15, 2013 at 10:02 AM, James Lay <jlay at ...3266...
> [7]> wrote:
>
>> I may have missed something...it IS early in the AM after all ;)
>>
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"MALWARE-OTHER Win32.EgoBot CnC traffic"; ;
>> flow:to_server,established;
>> content:"|2f|micro|2f|advice.php|3f|arg1=1irst|26|arg2="; http_uri;
>> fast_pattern:only; metadata:policy balanced-ips drop, policy
>> security-ips drop, service http, ruleset community;
>>
> 
> reference:url,www.symantec.com/connect/blogs/backdooregobot-how-effectively-execute-targeted-campaign
>> [1];
>> classtype:trojan-activity; sid:10000105; rev:1;)
>>
>> James

Ya good call Nick...I hosed it on the variables yet again...confirmed 
with:

http://www.symantec.com/connect/blogs/infostealernemim-how-pervasive-infostealer-continues-evolve

Bleh...thanks for the catch.

James




More information about the Snort-sigs mailing list