# # $Id: bleeding-virus.rules $ # Bleeding Edge Threats Virus rules. # # SID's are 2000000+ to avoid conflicts # # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release. # # More information available at www.bleedingthreats.net # # Please submit any custom rules or ideas to bleeding@bleedingthreats.net or the bleeding-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2007, Bleeding Edge Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #From Chris Norton. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; classtype: trojan-activity; sid:2002695; rev:4;) # BugBear #Submitted by Brad Doctor, 3/8/2005, for BugBear@MM alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg: "BLEEDING-EDGE VIRUS - Bugbear@MM virus in SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; sid: 2001764; rev:4; ) alert tcp $HOME_NET any -> any 139 (msg: "BLEEDING-EDGE VIRUS - BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; sid: 2001765; rev:4; ) alert tcp $HOME_NET any -> any 139 (msg: "BLEEDING-EDGE VIRUS - BugBear@MM Worm Copied to Startup Folder"; flow: established; content:"|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; sid: 2001766; rev:4; ) # Submitted 2006-05-01 by Mark Tombaugh alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS Mytob.X [clam] SMTP Inbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; classtype:trojan-activity; sid:2002892; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Mytob.X [clam] SMTP Outbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; classtype:trojan-activity; sid:2002893; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS W32.Nugache SMTP Inbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; classtype:trojan-activity; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; sid:2002894; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; sid:2002895; rev:2;) #by Jonathan Gross. Experimental alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE VIRUS WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.bleedingthreats.net/bin/view/Main/WinPEHeaders; sid:2003614; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE VIRUS WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.bleedingthreats.net/bin/view/Main/WinPEHeaders; sid:2003615; rev:1;) #These are by Vlad Tsyrklevich during presentation at Toorcon 06. These are experimental and will likely be high load. #more information at http://toorcon.org/2006/conference.html?id=29 #These are disabled by default until we learn more about them. #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE VIRUS SHELLCODE CLET polymorphic payload"; classtype:shellcode-detect; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; sid:2003117; rev:1;) #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE VIRUS SHELLCODE Shikata Ga Nai polymorphic payload"; classtype:shellcode-detect; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; sid:2003118; rev:1;) #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE VIRUS SHELLCODE ADMutate polymorphic payload"; classtype:shellcode-detect; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; sid:2003119; rev:1;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Sality Trojan User-Agent (KUKU v3.09 exp)"; flow:to_server,established; content:"User-Agent\: KUKU "; nocase; pcre:"/User-Agent\:[^\n]+KUKU\sv/i"; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/w32salityu.html; sid:2003088; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Sality Trojan Web Update"; flow:to_server,established; uricontent:"/new_array2.php?speed="; nocase; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/w32salityu.html; sid:2003424; rev:1;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (KUKU v3.09)"; flow:established,to_server; content:"User-Agent\: KUKU"; nocase; classtype:trojan-activity; sid:2003636; rev:2;) #from the bleeding sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Sality Virus User Agent Detected (SPM_ID=)"; flow:established,to_server; content:"User-Agent\: SPM_ID="; nocase; classtype:trojan-activity; sid:2003651; rev:2;) # Sober #Joe Stewart alert tcp $HOME_NET any -> any 25 (msg: "BLEEDING-EDGE VIRUS Sober-style Ehlo - noalert"; flowbits:noalert; flow: established,to_server; dsize: <50; content:"Ehlo"; depth: 4; flowbits:set,SoberEhlo; classtype: string-detect; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html; sid: 2001879; rev:6; ) alert tcp $HOME_NET any -> any 25 (msg: "BLEEDING-EDGE VIRUS Sober-style Ehlo followed by SMTP AUTH - noalert"; flowbits:isset,SoberEhlo; flowbits:noalert; flow: established,to_server; content:"AUTH LOGIN"; depth: 10; flowbits:set,SoberAuth; classtype: string-detect; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sober@mm.html; sid: 2001880; rev:8; ) # Sobig #Unknown submitter - Sobig E-F downloading goodies alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg: "BLEEDING-EDGE VIRUS Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; sid: 2001547; rev:5; ) # Spy.Win32.Bancos Trojan #Submitted by Matt Jonkman for Spy.Win32.Bancos Trojan alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; sid: 2001726; rev:6; ) #from sandnet data #Disabling by default, hits on the VB api, not unique to this virus. #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Bancos User-Agent Detected"; flow:established,to_server; content:"User-Agent\: vb wininet"; nocase; classtype:trojan-activity; sid:2004114; rev:1;) # Webber/Berbew #Submitted by Michael Sconzo for Webber/Berbew #disabled by default. Threat and specific accounts gone #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE TROJAN Webber/Berbew Trojan keystroke log upload"; flow: established; content:"id=crutop|26|vvpupkin0="; depth: 20; reference:url,www.lurhq.com/berbew.html; classtype: trojan-activity; sid: 2001303; rev:4; ) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent\: p4r4z1t3v3"; nocase; classtype:trojan-activity; sid:2003638; rev:1;) #by mr Magic Pants alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject\: \: ZOMBIE"; nocase; content:"X-Library\: Indy 9.00.10"; nocase; distance:0; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; sid:2003041; rev:3;) #Matt Jonkman, analysis from captured binary # Don't know a lot about this one. But the control session is apparently opened by a 00 00 00 00 # Then the bot replies with a packet that begins with the date in form such as 20060622, and # among other things contains the host OS info. # Since this is a windos bot, we can assume the word windows will be in there. # Hopefully we can update these as more is learned. This is sorta crude, but should # be reliable to not false pos at least.... alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"BLEEDING-EDGE TROJAN Backdoor.Hupigon Possible Control Connection Being Established"; flow:established,to_server; dsize:4; content:"|00 00 00 00|"; flowbits:set,BSHupigonControlStart; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; sid:2002974; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"BLEEDING-EDGE TROJAN Backdoor.Hupigon INFECTION - Reporting Host Type"; flow:established,to_server; flowbits:isset,BSHupigonControlStart; content:"Windows "; flowbits:isset,BSHupigonControlStart; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; sid:2002975; rev:1;) #by Scott Melnick alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1337 (msg:"BLEEDING-EDGE TROJAN Win32.SkSocket C&C Connection"; flow:established,to_server; flags:PA,12; dsize:1; content:"|04|"; classtype:trojan-activity; sid:2007585; rev:2;) #by Matt Jonkman #Bandook 1.2 alert tcp $HOME_NET any -> any 1024:65535 (msg:"BLEEDING-EDGE TROJAN Bandook v1.2 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.2; flow:established,to_server; content:"&first& # "; pcre:"/# \d+d \d+dh \d+m # /iR"; classtype:trojan-activity; flowbits:set,BE.Bandook1.2; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003549; rev:1;) alert tcp $HOME_NET any -> any 1024:65535 (msg:"BLEEDING-EDGE TROJAN Bandook v1.2 Get Processes"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003550; rev:1;) alert tcp $HOME_NET any -> any 1024:65535 (msg:"BLEEDING-EDGE TROJAN Bandook v1.2 Kill Process Command"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:>8; content:"kill3d"; offset:0; depth:6; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003551; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Active"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:7; content:"sockson"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003552; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.2 Reporting Socks Proxy Off"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:8; content:"socksoff"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003553; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.2 Client Ping Reply"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:10; content:"&SEXREPLY&"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003554; rev:1;) #Bandook 1.35 alert tcp $HOME_NET any -> any 1024:65535 (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.35; flow:established,to_server; content:"|cf 8f|"; offset:0; depth:2; content:"|20 26 26 26|"; distance:50; classtype:trojan-activity; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003555; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:6; content:"|cf ab a8 a7 ae cf|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003556; rev:1;) alert tcp $HOME_NET any -> any 1024:65535 (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Keepalive Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:9; content:"|cf ab a8 a4 ae cf 26 26 26|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003557; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Create Registry Key Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>10; content:"|cf 9b 8c 8e 8a 9b cf|"; offset:0; depth:7; content:"|95|"; distance:5; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003558; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Create Directory Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>7; content:"|cf 84 82 8d 80 9b cf 95|"; offset:0; depth:8; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003559; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Window List Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:10; content:"|cf 8e 80 84 84 8c 9e 80 87 cf|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003560; rev:1;) alert tcp $HOME_NET any -> any 1024:65535 (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Window List Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9e 80 87 85 80 9a 9d cf|"; offset:0; depth:9; content:"|26 26 26|"; distance:10; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003561; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003562; rev:1;) alert tcp $HOME_NET any -> any 1024:65535 (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Get Processes Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9d 82 99 9b 86 8a cf|"; offset:0; depth:8; content:"|26 26 26|"; distance:10; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003565; rev:1;) alert tcp any 1024:65535 -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Start Socks5 Proxy Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>6; content:"|a7 a0 a7 ae 95|"; offset:0; depth:5; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003563; rev:1;) alert tcp $HOME_NET any -> any 1024:65535 (msg:"BLEEDING-EDGE TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:10; content:"|9a 86 8a 82 9a 86 87 26 26 26|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.bleedingthreats.net/bin/view/Main/TrojanBandook; sid:2003564; rev:1;) #by Joe Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE TROJAN Bandok phoning home (xor by 0xe9 to decode)"; flow:established,to_server; content:"|CF 8F 80 9B 9A 9D CF 95|"; depth:8; dsize:<80; reference:url,www.dshield.org/diary.html?date=2007-03-28; reference:url,www.secureworks.com/research/threats/bbbphish/?threat=bbbphish; classtype:trojan-activity; sid:2003936; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST|20|/"; depth:6; content:"|20|HTTP/1.1|0d0a|Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; within:150; content:"Content-Length|3a20|"; within:100; content:"|0d0a0d0a|"; within:12; content:"VISITED_URL"; within:100; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/bbbphish; priority:20; sid:2003937; rev:1;) #Matt Jonkman # This thing send out an email to it's owner with stats and such. This ought to catch it.. alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE TROJAN Banker.Delf Infection - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Maquina.."; nocase; content:"Vers|e3|o do Windows"; nocase; content:"Microsoft Windows"; nocase; content:"Mac Address.."; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2002976; rev:5;) #another variant alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Nome Computador\: "; nocase; content:"Data\: "; nocase; content:"Windows\: Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2002978; rev:2;) #Yet another alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Subject\: INFECT - "; nocase; content:"Data\: "; nocase; content:"Windows\: Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2002980; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Maquina"; nocase; content:"IP"; nocase; content:"Hora"; nocase; content:"Data"; nocase; content:"Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2002981; rev:1;) #from sandnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (Varlok_11000)"; flow:established,to_server; content:"User-Agent\: Varlok_"; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2003931; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (Ms)"; flow:established,to_server; content:"User-Agent\: Ms|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2003933; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (hhh)"; flow:established,to_server; content:"User-Agent\: hhh"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2004442; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (MzApp)"; flow:established,to_server; content:"User-Agent\: MzApp"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; sid:2007594; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)"; flow:established,to_server; content:"User-Agent\: WINDOWS_LOADS"; classtype:trojan-activity; sid:2007699; rev:1;) #Matt Jonkman # Regular downloader, usually grabs a fw swf exploiting files from brazilian servers. Sends an email on installl alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE TROJAN Banload Downloader Infection - Sending initial email to owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Dispositivo instalado."; nocase; content:"Maquina pronta para uso."; nocase; content:"Data\: "; nocase; content:"Hora\: "; nocase; content:"Development by "; nocase; classtype:trojan-activity; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586; sid:2002977; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; content:"User-Agent\: ExampleDL"; classtype:trojan-activity; sid:2004440; rev:1;) #by matt Jonkman, from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Basine Trojan Checkin"; flow:established,to_server; dsize:>1000; content:"|0d 0a 0d 0a|a="; content:"&b=reported"; distance:0; within:40; content:"&d=report"; distance:0; within:40; classtype:trojan-activity; sid:2007692; rev:1;) #analysis by Jose Nazario at arbor networks. Sig by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; sid:2007668; rev:2;) # Bofra Worm #submitted by Matt Jonkman, additions by David Maciejak - Bofra Worm alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 (msg: "BLEEDING-EDGE WORM Bofra Victim Accessing Reactor Page"; flow: from_client,established; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; sid: 2001430; rev:8; ) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Brontok User-Agent Detected (Brontok.A3 Browser)"; flow:established,to_server; content:"User-Agent\: Brontok"; nocase; classtype:trojan-activity; sid:2006999; rev:1;) #By Scott Melnick alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Dialer"; flow: established,to_server; uricontent:"/getnumtemp.asp?nip=0"; nocase; reference:url,isc.sans.org/diary.php?storyid=1388; classtype:trojan-activity; sid:2003083; rev:1;) #Matt Jonkman from snadnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Dialer-715 Install Checkin"; flow: established,to_server; uricontent:"/perl/invoc_oneway.pl"; nocase; uricontent:"?id_service="; nocase; uricontent:"&nom_exe="; nocase; uricontent:"&skin="; nocase; uricontent:"&id_produit="; nocase; classtype:trojan-activity; sid:2003650; rev:1;) #by Scott Melnick from sandnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Dialer-967 User-Agent"; flow:to_server,established; content:"User-Agent\: del|0d 0a|"; nocase; classtype:trojan-activity; sid:2006364; rev:1;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Diazom Trojan User-Agent in Use (cv_v2.0.1)"; flow:established,to_server; content:"User-agent\: cv_v"; classtype:trojan-activity; reference:url,ww.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-032316-0426-99&tabid=2; sid:2003598; rev:1;) #Matt Jonkman, thanks to the Clam guys for the information and sample alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-1355 Checking In"; flow:established,to_server; uricontent:"/adload.php?a1="; nocase; uricontent:"a3="; nocase; uricontent:"&a4="; nocase; uricontent:"&a5="; nocase; content:!"User-Agent\:"; content:"Host\:"; classtype:trojan-activity; sid:2003408; rev:1;) #first found by ClamAV #Sigs by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN W32.Downloader-388 (Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C"; flow:established,to_server; uricontent:"/sp/post.php"; nocase; content:"User-Agent\: Mozilla/3.0b5a (Win95\; I)"; nocase; content:"data="; nocase; classtype:trojan-activity; sid:2003238; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN W32.Downloader-388 (Trojan-Downloader.Win32.Tibs.jy) Reporting to C&C (2)"; flow:established,to_server; uricontent:"/cp/rule.php?"; nocase; uricontent:"name="; nocase; uricontent:"b="; nocase; uricontent:"w="; nocase; classtype:trojan-activity; sid:2003239; rev:1;) # by axn jxn alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2003590; sid:2003590; rev:2;) #by Matt Jonkman #from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.Dluca HTTP Checkin"; flow:established,to_server; uricontent:"?id={"; nocase; uricontent:"&srv=ms"; nocase; uricontent:"&ver="; nocase; uricontent:"&docid="; nocase; uricontent:"&time="; nocase; uricontent:"&cstate="; nocase; uricontent:"&state="; nocase; uricontent:"&flash="; nocase; uricontent:"&pin="; nocase; uricontent:"&OSInfo2="; nocase; uricontent:"&cinfo="; nocase; uricontent:"&smd="; nocase; uricontent:"&rts="; nocase; uricontent:"&retryattempt="; nocase; classtype:trojan-activity; sid:2007595; rev:1;) #Sigs for general downloader trojans and worms. Not all get unique names #by Matt Jonkman. Saw a downloader appending ver7 to the end of a regular UA. No spaces. very unique alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype: trojan-activity; sid:2003380; rev:2;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.Small User Agent Detected (NetScafe)"; flow:established,to_server; content:"User-Agent\: NetScafe "; nocase; classtype:trojan-activity; sid:2003641; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.Affill User Agent Detected (lol)"; flow:established,to_server; content:"User-Agent\: lol"; nocase; classtype:trojan-activity; sid:2003642; rev:1;) #Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)"; flow:established,to_server; content:"User-Agent\: Microsoft URL Control -"; nocase; classtype:trojan-activity; sid:2003646; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U)"; flow:established,to_server; content:"User-Agent\: IRC-U v"; nocase; classtype:trojan-activity; sid:2003647; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"User-Agent\: linkrunner"; nocase; classtype:trojan-activity; sid:2003648; rev:1;) #generic downloader and bot checkin url, found in Backdoor.Win32.Small.or alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Bot Backdoor Checkin/registration Request"; flow:established,to_server; uricontent:"/remote.php?"; nocase; uricontent:"os="; nocase; uricontent:"&user="; nocase; uricontent:"&status="; nocase; uricontent:"&version="; nocase; uricontent:"&build="; nocase; uricontent:"&uptime="; nocase; classtype:trojan-activity; sid:2006366; rev:1;) #by Scott Melnick and Andre alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.Win32.Agent.bwr"; flow:established,to_server; uricontent:"?m="; nocase; uricontent:"&a="; nocase; uricontent:"&hdd="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; sid:2006377; rev:1;) #from sandnet analysis, by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Matcash or related downloader User-Agent Detected"; flow:established,to_server; content:"User-Agent\: x"; pcre:"/x\w\wx\w\w\!x\w\wx\w\wx\w\w/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006382; sid:2006382; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader User-Agent Detected (Windows Updates Manager|3.12|...)"; flow:established,to_server; content:"User-Agent\: Windows Updates Manager|7c|"; classtype:trojan-activity; sid:2006387; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader User-Agent Detected (ld)"; flow:established,to_server; content:"User-Agent\: ld|0d 0a|"; classtype:trojan-activity; sid:2006394; rev:1;) #sandnet analysis, by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.26001 Url Pattern Detected"; flow:established,to_server; uricontent:"install.php?"; nocase; uricontent:"wall_id="; nocase; uricontent:"&maddr=0"; nocase; uricontent:"&action="; nocase; classtype:trojan-activity; sid:2006400; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.26001 Url Pattern Detected (lunch_id)"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"aff_id="; nocase; uricontent:"lunch_id="; nocase; uricontent:"&maddr=0"; nocase; classtype:trojan-activity; sid:2006401; rev:1;) #from sandnet data, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; uricontent:"/ping/"; nocase; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]+/Ui"; classtype:trojan-activity; sid:2007284; rev:1;) #matt jonkman, from sandnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN General Downloader Checkin URL (GUID+)"; flow:established,to_server; uricontent:"&version="; nocase; uricontent:"&configversion="; nocase; uricontent:"GUID="; nocase; uricontent:"&cmd="; nocase; uricontent:"&p="; nocase; uricontent:"&i="; nocase; uricontent:"&x="; nocase; classtype:trojan-activity; sid:2007577; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN General Downloader or Virut C&C Ack"; flow:established,to_server; uricontent:"uid="; nocase; uricontent:"&version="; nocase; uricontent:"&actionname="; nocase; uricontent:"&action="; nocase; uricontent:"&success="; nocase; uricontent:"&debug="; nocase; uricontent:"&nocache="; nocase; classtype:trojan-activity; sid:2007587; rev:1;) #Matt Jonkman, from the sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; content:"User-Agent\: Ismazo"; nocase; classtype: trojan-activity; sid:2007633; rev:2;) #from the sandnet #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Win32.Agent.cah Checkin Request"; flow:established,to_server; uricontent:"?v="; nocase; uricontent:"&mid="; nocase; uricontent:"&r1="; nocase; uricontent:"&tm=200"; nocase; uricontent:"&av="; nocase; uricontent:"&os=Windows"; nocase; uricontent:"&uid="; nocase; uricontent:"cht="; classtype:trojan-activity; sid:2007644; rev:1;) # Submitted by Tom Fischer, 2006-01-08, updated 4/22/06 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Dumador Reporting User Activity"; flow:established,to_server; uricontent:".php?p="; nocase; uricontent:"?machineid="; nocase; uricontent:"&connection="; nocase; uricontent:"&iplan="; nocase; classtype:trojan-activity; reference:url,www.norman.com/Virus/Virus_descriptions/24279/; sid:2002763; rev:2;) # Submitted 4-6-07 Mark Warren alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"TROJAN Trojan.Duntek establishing remote connection"; flow:established,to_server; uricontent:"rfe.php?"; nocase; uricontent:"cmp=dun_tekfirst"; nocase; uricontent:"guid="; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99; sid:2003537; rev:1;) #by Chich Thierry alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE TROJAN - elitekeylogger v1.0 reporting - Inbound"; flow:established,to_server; content:"MAIL FROM|3a|"; classtype:trojan-activity; sid:2002938; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE TROJAN - elitekeylogger v1.0 reporting - Outbound"; flow:established,to_server; content:"MAIL FROM|3a|"; classtype:trojan-activity; sid:2002941; rev:3;) #from sandnet, by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; uricontent:"php?i="; uricontent:"&v="; uricontent:"&win=Windows"; uricontent:"&un="; uricontent:"&uv="; uricontent:"&s="; uricontent:"&onl="; uricontent:"&ip="; uricontent:"&f="; classtype:trojan-activity; sid:2007700; rev:1;) #this sig is experimental. It appears to use a base64 encoded user-agent # it's very long, no spaces or punctuation, which is what we can key on # please report load or fp problems alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; sid:2007646; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Farfli User Agent Detected (VYG)"; flow:established,to_server; content:"|0d 0a|User-Agent\: VYG|0d 0a|"; classtype:trojan-activity; sid:2007658; rev:1;) #by matt jonkman, from sandnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING_EDGE TROJAN Feral Checkin via HTTP"; flow:established,to_server; uricontent:"?ucid="; nocase; uricontent:"&wmid="; nocase; classtype:trojan-activity; sid:2007286; rev:1;) #Matt Jonkman # General signs of trojan infections.... alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO"; flow:established,to_server; content:"Subject\: Microsoft Windows"; nocase; content:"INFECTADO"; nocase; within:20; classtype:trojan-activity; sid:2002982; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO"; flow:established,to_server; content:"PC INFECTADO COM SUCCESSO"; nocase; classtype:trojan-activity; sid:2002983; rev:1;) #Matt Jonkman, found by Jacob Kitchel alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Unnamed Generic.Malware http get"; flow:established,to_server; uricontent:"/ww20/script.php?id="; nocase; content:"&config="; nocase; content:!"User-Agent\:"; classtype:trojan-activity; sid:2003431; rev:1;) #from castlecops research alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11)"; flow:established,to_server; content:"User-Agent\: Rescue/9.11"; classtype:trojan-activity; sid:2003645; rev:1;) #by Tom Fisher alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Goldun Reporting User Activity"; flow:established,to_server; uricontent:"/data.php?param="; nocase; uricontent:"&socks="; pcre:"/User-Agent\:[^\n]Windows Updater/i"; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; sid:2002775; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Goldun Reporting User Activity 2"; flow:established,to_server; uricontent:"/c.php?phid="; nocase; uricontent:"&ver="; nocase; uricontent:"&nn="; nocase; pcre:"/User-Agent\:[^\n]+z/i"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; sid:2002780; rev:1;) # Submitted 2006-09-22 by Frank Knobbe alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Possible Goldun Dropsite 1"; flow:to_server,established; uricontent:"/sd.php"; nocase; classtype:trojan-activity; sid:2003107; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Possible Goldun Dropsite 2"; flow:to_server,established; uricontent:"/fix.php"; nocase; classtype:trojan-activity; sid:2003108; rev:1;) #by Secureworks # Paper here: www.secureworks.com/research/threats/gozi/?threat=gozi alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Gozi Certificate Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/certs.cgi?"; depth:24; pcre:"/POST\x20\x2Fcgi\x2Dbin\x2Fcerts\x2Ecgi\x20HTTP\x2F1\x2E1[\x0D\x0A]+Content\x2DType\x3A\x20multipart\x2Fform\x2Ddata\x3B\x20boundary\x3D.*[\x0D\x0A]+User\x2DAgent\x3A\x20Mozilla\x2F4\x2D0\x20\x28compatible\x3B\x20MSIE\x206\x2D0\x3B\x20Windows\x20NT\x205\x2D1\x29[\x0D\x0A]+Host\x3A\x20/i"; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003509; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Gozi Registration"; flow:to_server,established; content:"GET /cgi-bin/options.cgi?"; depth:25; pcre:"/GET\x20\x2Fcgi\x2Dbin\x2Foptions\x2Ecgi\x3Fuser_id\x3D([0-9])+\x26socks\x3D([0-9])+\x26version_id\x3D([0-9])+\x26passphrase\x3D\x20HTTP\x2F1\x2E1[\x0D\x0A]+User\x2DAgent\x3A\x20Mozilla\x2F4\x2D0\x20\x28compatible\x3B\x20MSIE\x206\x2D0\x3B\x20Windows\x20NT\x205\x2D1\x29[\x0D\x0A]+Host\x3A\x20/i"; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003510; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Gozi Form Data Information Leakage"; flow:to_server,established; content:"POST /cgi-bin/forms.cgi?"; depth:24; pcre:"/POST\x20\x2Fcgi\x2Dbin\x2Fforms\x2Ecgi\x20HTTP\x2F1\x2E1[\x0D\x0A]+Content\x2DType\x3A\x20multipart\x2Fform\x2Ddata\x3B\x20boundary\x3D.*[\x0D\x0A]+User\x2DAgent\x3A\x20Mozilla\x2F4\x2D0\x20\x28compatible\x3B\x20MSIE\x206\x2D0\x3B\x20Windows\x20NT\x205\x2D1\x29[\x0D\x0A]+Host\x3A\x20/i"; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2003511; rev:1;) #by Cees Elzinga alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Possible Gozi Trojan Checkin"; flow:established,to_server; uricontent:"cgi"; uricontent:"user_id="; uricontent:"version_id="; uricontent:"crc="; uricontent:"passphrase"; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/gozi; sid:2007632; rev:1;) #from private list alert tcp any any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE BOTNET HTTP Botnet reg"; flow: established; uricontent:"/reg?u="; nocase; content:"&v="; nocase; within: 15; content:"&s="; nocase; within: 15; content:"&su="; nocase; within: 15; content:"&p="; nocase; within: 15; classtype: trojan-activity; reference:url,www.honeynet.org/papers/bots; sid: 2001899; rev:7; ) #5/2/05 aim distributed in some cases, Matt Jonkman alert tcp any any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE BOTNET BwB Botnet Checkin"; flow: established; uricontent:"/update.php?port="; nocase; content:"&checktime="; nocase; within: 20; content:"&uptime="; nocase; within: 20; content:"&result="; nocase; within: 20; content:"&localip="; nocase; within: 15; content:"&id="; nocase; within: 20; content:"$hash="; nocase; within: 20; classtype: trojan-activity; reference:url,www.honeynet.org/papers/bots; sid: 2001900; rev:6; ) #Joe Stewart from Lurhq alert tcp any any -> any $HTTP_PORTS (msg: "BLEEDING-EDGE TROJAN Possible Bobax trojan infection"; flow: established,to_server; content:"GET /reg|3f|u="; depth: 11; content:"|26|v="; within: 3; distance: 8; reference:url,www.lurhq.com/bobax.html; classtype: trojan-activity; sid: 2001901; rev:3; ) # Hacker Defender Root Kit #By Chris Norton 2/22/05 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE TROJAN HackerDefender Root Kit Remote Connection Attempt Detected"; flow: established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes;tag: session, 20, packets; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; sid: 2001743; rev:6; ) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE TROJAN HackerDefender.HE Root Kit Control Connection"; flow: established,to_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; sid: 2003244; rev:1; ) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE TROJAN HackerDefender.HE Root Kit Control Connection Reply"; flow: established,from_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; sid: 2003245; rev:1; ) # Trojan HaxDoor #Submitted by Tom Fischer, 2006-01-24, modified 2/2/06 on info from chris alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Haxdoor Reporting User Activity"; flow:established,to_server; uricontent:"/bsrv.php?"; nocase; uricontent:"lang="; nocase; uricontent:"&socksport="; nocase; uricontent:"&httpport="; nocase; uricontent:"&uptimem="; nocase; uricontent:"&uptimeh="; nocase; uricontent:"&uid="; nocase; uricontent:"&ver="; nocase; pcre:"/User-Agent\:[^\n]MSIE 6.0/i"; nocase; classtype:trojan-activity; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; sid: 2002790; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Haxdoor Reporting User Activity 2"; flow:established,to_server; uricontent:".php?param="; nocase; uricontent:"&socksport="; nocase; uricontent:"&httpport="; nocase; uricontent:"&uptime"; nocase; uricontent:"&uid="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; sid:2002929; rev:1;) #Matt Jonkman alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001959; rev:5; ) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE VIRUS Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001960; rev:4; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001961; rev:6; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001962; rev:6; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001963; rev:6; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001964; rev:6; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001965; rev:6; ) alert tcp any any -> $EXTERNAL_NET 21 (msg: "BLEEDING-EDGE VIRUS Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; sid: 2001966; rev:6; ) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Hupinon User Agent Detected (SykO)"; flow:established,to_server; content:"User-Agent\: SykO"; nocase; classtype:trojan-activity; sid:2003649; rev:3;) #from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Hupinon User Agent Detected (IE_7.0)"; flow:established,to_server; content:"User-Agent\: IE_7.0"; nocase; classtype:trojan-activity; sid:2003932; rev:3;) #from sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Hupigon URL Infection Checkin Detected"; flow:established,to_server; uricontent:"?mac="; nocase; uricontent:"&ver="; nocase; uricontent:"&user="; nocase; uricontent:"&md5="; nocase; uricontent:"&pc="; nocase; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; classtype:trojan-activity; sid:2007592; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Hupigon User Agent Detected (RAV1.23)"; flow:established,to_server; content:"User-Agent\: RAV"; nocase; pcre:"/User-Agent\: RAV\d\.\d\d/"; classtype:trojan-activity; sid:2007661; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Hupigon User Agent Detected (??)"; flow:established,to_server; content:"User-Agent\: |3f 3f 0d 0a|"; nocase; classtype:trojan-activity; sid:2007689; rev:1;) # By Joe Stewart, Based on valuable work by Tom Fisher alert icmp any any -> any any (msg:"BLEEDING-EDGE TROJAN ICMP Banking Trojan sending encrypted stolen data"; dsize:>64; itype:8; icode:0; content:"|08|"; depth:1; byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; classtype:trojan-activity; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; sid:2003073; rev:2;) # IRC Trojan Reporting # # By Erik Fichtner # # Bleeding-Remix :: irc / ircbot detection state machine # compiled from various sources. # thanks to: Joe Stewart of LURHO, Joel Esler, Tomfi. ### Client login process. flowbits needs an OR. ### Client needs to tell the server who they are, join ### join a group, and someone needs to say something to ### someone else. alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC USER command"; flow: to_server,established; content:"USER|20|"; nocase; offset: 0; content:"|203a|"; within: 40; content:"|0a|"; within: 40; flowbits:noalert; flowbits: set,irc.start; classtype: misc-activity; sid: 2002023; rev:9; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC NICK command"; flow: to_server,established; content:"NICK|20|"; nocase; depth:50; content:"|0a|"; within: 40; flowbits:noalert; flowbits: set,irc.start; classtype: misc-activity; sid: 2002024; rev:10; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC JOIN command"; flowbits:isset,irc.start; flow:to_server,established; content:"JOIN|2023|"; nocase; depth:50; content:"|0a|"; within: 40; flowbits: set,irc.start; flowbits:set,is_proto_irc; flowbits:noalert; classtype: misc-activity; sid: 2002025; rev:10;) #Another start, psyBNC servers don't always use a join, info from Reg Quinton alert tcp any any -> $HOME_NET any (msg: "BLEEDING-EDGE TROJAN psyBNC IRC Server Connection"; flow:from_server,established; content:"\:"; offset:0; depth:1; content:"psyBNC@lam3rz"; within:32; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; classtype: misc-activity; reference:url,en.wikipedia.org/wiki/PsyBNC; sid:2003302; rev:4;) #Updated by Reg Quinton alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC PRIVMSG command"; flowbits:isset,irc.start; flow:established; content:"PRIVMSG|20|"; content:"|3a|"; within:30; flowbits:set,is_proto_irc; flowbits:noalert;classtype: misc-activity; sid: 2002026; rev:11;) ### Alternate path to is_proto_irc, Catch PING/PONG. alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC PING command"; flowbits:isnotset,is_proto_irc; flow: from_server,established; content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping; flowbits:noalert; classtype: misc-activity; sid: 2002027; rev:4; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN IRC PONG response"; flowbits:isnotset,is_proto_irc; flowbits:isset,irc.ping; flowbits:noalert; flow: from_client,established; content:"PONG|20|"; nocase; offset: 0; flowbits: set,is_proto_irc; classtype: misc-activity; sid: 2002028; rev:4; ) # Bot potty alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow: to_client,established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within: 40; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002029; rev:5; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential scan/exploit command"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002030; rev:7; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential update/download"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+(http|ftp)\x3a\x2f\x2f/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002031; rev:11; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential DDoS command (1)"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst; content:"."; distance:1; content:"."; distance:1; within:3; content:"."; distance:1; within:3; pcre:"/floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|(syn|udp) ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3}/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002032; rev:5; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002033; rev:10;) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential misc bot commands"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((\.aim\w*|ascanall|\x3agetshit200)\s+\w+)|((@kill|@get_os_version|@get_computer_name|@get_bot_version|@update|@restart|@reboot|@shutdown)\s)/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002384; rev:8;) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow: established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; tag: host,300,seconds,src; pcre:"/(\.aim\w*|ascanall)\s+\w+/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002386; rev:6; ) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential DDoS command (2)"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst; content:"ddos"; nocase; pcre:"/ddos\.(phat(icmp|syn|wonk)|stop|(syn|udp|http)flood|targa3|(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2003132; rev:1; ) # Added commands of another nasty bot alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential reptile commands"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG ";nocase; content:"|3a|"; within:30; pcre:"/\.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; flowbits: set,trojan; classtype: trojan-activity; sid:2002363; rev:8;) alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; flowbits: set,trojan; classtype: trojan-activity; sid:2002385; rev:7; ) #agobot, sdbot stuff, from JB alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN Agobot-SDBot Commands"; flowbits:isset,is_proto_irc; flow:established; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; flowbits: set,trojan; classtype: trojan-activity; sid:2003157; rev:1; ) #pBot commands, Matt Jonkman, updated by Reg Quinton alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN pBot (PHP bot) Commands"; flowbits:isset,is_proto_irc; flow:established; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; flowbits: set,trojan; classtype: trojan-activity; sid:2003208; rev:4;) #These are by Reg Quinton for perl bots. Uses the above irc state machines: # $Id: TROJAN_IRC_Bots,v 1.92 2007/11/09 23:28:07 jonkman Exp $ # # I am building these from perlbots I've captured over the last few months # as I chase PHP injection attacks. In each case what you have is a "PRIVMSG" # response with content that looks like ":\002...text\002" # # I rely on flowbits isproto_irc to catch the leading "PRIVMSG .*:" # # [11:29am dominic] cat ~/php-injection/* | sed -n 's/.*:\\002/:\\002/p' |\ # sed 's/002[ :].*/002/' | sort | uniq -c | grep 002\\[ # 2 :\002[Atk33]\002 # 2 :\002[Exploiting]\002 # 2 :\002[Finished]\002 # 8 :\002[GOOGLE]\002 # 1 :\002[GOOGLER]\002 # 11 :\002[HTTP]\002 # 4 :\002[HTTP-DDOS]\002 # 1 :\002[HTTP DDoSing]\002 # 1 :\002[PKS-SCAN| @@ ERROR @@ ]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON CURL]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON FETCH]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON GET]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON LYNX]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON WGET]\002 # 1 :\002[PKS-SCAN| SPREANDING ]\002 # 2 :\002[Results]\002 # 2 :\002[RSH]\002 # 19 :\002[SCAN]\002 # 10 :\002[TCP]\002 # 4 :\002[TCP-DDOS]\002 # 2 :\002[TCP DDoSing]\002 # 13 :\002[UDP]\002 # 4 :\002[UDP-DDOS]\002 # 1 :\002[UDP DDoSing]\002 # 2 :\002[v6]\002 # 1 :\002[v6|Exploiting]\002 # 1 :\002[v6|VULN]\002 # 6 :\002[VERSION]\002 # Ones that look like ':\002[sometext]\002' alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN perlb0t/w0rmb0t Response (Case 1)"; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; flowbits:set,BE.trojan; classtype:trojan-activity; sid:2006910; rev:1;) # [11:31am dominic] cat ~/php-injection/* | sed -n 's/.*:\\002/:\\002/p' \ # | sed 's/002[ :].*/002/' | sort | uniq -c | grep 002.003 # 2 :\002\0034<------------------------------------------------>\003\002"); # 2 :\002\0034<------------------------------------------------>\003\002"); # 1 :\002\0034[BackConnect]\003\002 # 2 :\002\0034[help]\003\002 # 1 :\002\0034[HTTP]\003\002 # 1 :\002\0034[HTTP DDoSing]\003\002 # 1 :\002\0034PerlBot :By SPEED (Security Net Information) LoaDED bY @adms"); # 3 :\002\0034[SCAN]\003\002 # 2 :\002\0034[TCP DDoSing]\003\002 # 1 :\002\0034[UDP]\003\002 # 1 :\002\0034[UDP DDoSing]\003\002 # 1 :\002\0034[VERSION]\003\002 # # Ones that look like \002\0034[sometext]\003\002 alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN perlb0t/w0rmb0t Response (Case 2)"; flowbits:isset,is_proto_irc; content:"|3A 02 03|4|5B|"; content:"|03 02|"; within: 32; pcre:"/\x3A\x02\x034\x5B(BackConnect|help|HTTP.*|SCAN|TCP.*|UDP.*|VERSION)\x5D\x03\x02/i"; flowbits:set,BE.trojan; classtype:trojan-activity; sid:2006911; rev:1;) # [11:34am dominic] cat ~/php-injection/* | sed -n 's/.*:\\002/:\\002/p' \ # | sed 's/002[ :].*/002/' | sort | uniq -c | grep -v '002\\003' | grep -v '002\[' # 1 :\002 # 2 :\002Alvo dos Pacotes\002 # 1 :\002Conectando-se em\002 # 1 :\002Média de envio\002 # 1 :\002Tempo\002 # 2 :\002Tempo de Pacotes\002 # 1 :\002Total bytes\002 # 2 :\002Total de Pacotes\002 # 1 :\002Total pacotes\002 # # Ones that look like \002sometext\002 alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN perlb0t/w0rmb0t Response (Case 3)"; flowbits:isset,is_proto_irc; content:"|3A 02|"; content:"|02|"; within: 32; pcre:"/\x3A\x02(Alvo dos Pacotes|Conectando-se em|Média de envio|Tempo.*|Total .*)\x02/i"; flowbits:set,BE.trojan; classtype: trojan-activity; sid:2006912; rev:1;) # $Id: TROJAN_IRC_Bots,v 1.92 2007/11/09 23:28:07 jonkman Exp $ # # [8:03am dominic] telnet 59.124.158.12 65500 # Trying 59.124.158.12... # Connected to 59-124-158-12.HINET-IP.hinet.net (59.124.158.12). # Escape character is '^]'. # :irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Looking up your hostname... # :irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Found your hostname # # Reg Quinton ; 9-Nov-2007 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE TROJAN B0tN3t IRCbotnet"; flow:from_server,established; content:"\:"; offset:0; depth:1; content:"B0tN3t"; within:32; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; classtype:misc-activity; reference:url,en.wikipedia.org/wiki/Botnet; sid:2007672; rev:1;) # by Reg Quinton # # Kaiten is a compiled code DDOS IRCbotnet for Unix/Linux systems. You will # find the string "Kaiten wagoraku" in the code ..(or in the strings if you # have a compiled version). It's been around since at least 2006, source can # be found at many sites. # # See also # # http://isc.sans.org/diary.html?storyid=1127 # http://handlers.dshield.org/pbueno/Steve_malware6.pdf # http://www.stacksegment.net/wiki/index.php/Linux_Malware_Analysis # http://ktp.e-isa.com/Viruses/Linux.DDos-Kaiten.htm # # Reg Quinton; 2007/08/30 # # Botnet begins by contacting an IRC server (there's some randomization to # pick one) and saying (with short nick,ident,user strings..): # # Send(sock,"NICK %s\nUSER %s localhost localhost :%s\n",nick,ident,user); alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE TROJAN Kaiten IRCbotnet login"; flow:to_server,established; content:"NICK|20|"; offset:0; depth:5; content:"USER|20|"; within:32; content:"localhost|20|localhost|20 3A|"; within:32; pcre:"/NICK\x20\S+\x0AUSER\x20\S+localhost\x20localhost\x20\x3A/"; flowbits:set,irc.start; flowbits:set,irc.trojan; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/IRC_bot; sid:2007621; rev:1;) # various distinctive responses to commmands implemented by Kaiten client alert tcp $HOME_NET any -> any any (msg: "BLEEDING-EDGE TROJAN Kaiten IRCbotnet Response"; flowbits:isset,irc.start; content:"NOTICE|20|"; content:"|20 3A|"; within:32; pcre:"/\x20\x3A(Receiving\x20file.\x0A|Saved\x20as\x20|Spoofs\x3A\x20|Kaiten\x20wa\x20goraku|Current\x20status\x20is\x3a\x20|Removed\x20all\x20spoofs|Packeting\x20|Panning\x20|Tsunami\x20heading\x20for\x20|Unknowing\x20|Killing\x20pid\x20)/"; flowbits:set,irc.trojan; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/IRC_bot; sid:2007622; rev:1;) # various commmands implemented by Kaiten client, they don't use a : delimiter # as others do, it's "[: ]PRIVMSG ! ". I'm # skipping the server part. I wish there were flowbits that noted that we have # an IRC channel going. I don't want to watch everything. alert tcp any any -> $HOME_NET any (msg: "BLEEDING-EDGE TROJAN Kaiten IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20 21|"; pcre:"/PRIVMSG\x20\x21\S+\x20(TSUNAMI\x20|PAN\x20|UDP\x20|UNKNOWN\x20|GETSPOOFS|SPOOFS\x20)/i"; flowbits:set,irc.trojan; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/IRC_bot; sid:2007623; rev:1;) # $Id: TROJAN_IRC_Pitbull,v 1.1 2007/10/04 22:39:57 jonkman Exp $ # Pitbull is an IRCbot implemented in Perl since 2007/09/13, code seems to have # authors who speak spanish or portugese. Small sample here # # http://www.directadmin.com/forum/showthread.php?p=113720 # # Google had a cached version, you might browse around to find others. # # Versions I captured are a little different from one another (s/space/etx/). # # Code *says* it supports these commands (but versions differ): #!bot @portscan #!bot @nmap #!bot @back #!bot @udpflood