Jose Nazario, the resident genius at Arbor Networks, has a very well done writeup for the Blackenergy bots.

http://asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available/

Have generated a sig with his help:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:”BLEEDING-EDGE TROJAN Blackenergy Bot Checkin to C&C”; flow:established,to_server; content:”POST “; depth:5; dsize:<300; content:”|0d 0a|Cache-Control\: no-cache|0d 0a|id=”; content:”&build_id=”; distance:5; pcre:”/id=x.+_[0-9A-F]{8}&build_id=.+/”; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; sid:2007668; rev:1;)

This is a tough one to sig and keep the load down, so please report issues and falses.

Thanks Jose!

Matt

This entry was posted on Wednesday, November 7th, 2007 at 12:36 am and is filed under New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.