GROUP_NAME=IRCBDCHANNELS
GROUP_DESCRIPTION=This group contains custom IRC-backdoor-trojan Dragon NIDS signatures.  These signatures detect clients registering with a number of IRC channel names commonly used as the remote-control channel for trojans/worms which register themselves after infection to await further instruction, report on progress compromising more machines, etc.  NOTE they currently use port 6667, the default IRC port.  It would be better to define a local COMPLEX port entry, such as 'I', which listed a wider range of ports commonly used by IRC servers, such as perhaps 6666-7000.
# $Id: IRCBDCHAN.lib,v 1.4 2006/05/19 15:10:31 hlein Exp $

NAME=BACKDOOR:IRC-JOIN-FUCK0F
SIGNATURE=T D A S 50 40 6667 BACKDOOR:IRC-JOIN-FUCK0F join , fuck0f
DESCRIPTION=Signature to try to catch IRC startup with a CroNation IRC server.  Based on signatures contributed by Mike Iglesias.
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-CRONATION2
SIGNATURE=T D A S 50 40 6667 BACKDOOR:IRC-JOIN-CRONATION2 join , cronation
DESCRIPTION=Signature to try to catch IRC startup with a CroNation IRC server.  Based on signatures contributed by Mike Iglesias.
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-NEWBOT
SIGNATURE=T D A S 50 30 6667 BACKDOOR:IRC-JOIN-NEWBOT join , /23newbot
DESCRIPTION=Signature to try to catch IRC startup with a NEWBOT botnet.  Based on signatures contributed by Mike Iglesias.
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-NULLZ0R
SIGNATURE=T D A S 50 30 6667 BACKDOOR:IRC-JOIN-NULLZ0R join , /23nullz0r
DESCRIPTION=Signature to try to catch IRC startup with a nullz0r botnet.  Based on signatures contributed by Mike Iglesias.
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-NEUKEN
SIGNATURE=T D A S 50 30 6667 BACKDOOR:IRC-JOIN-NEUKEN join , /23neuken
DESCRIPTION=Signature to try to catch IRC startup with a neuken botnet.  Based on signatures contributed by Mike Iglesias.
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-LASTIMEZ
SIGNATURE=T D A S 50 30 6667 BACKDOOR:IRC-JOIN-LASTIMEZ join , /23lastimez
DESCRIPTION=Signature to try to catch IRC startup with a lastimez botnet.  Based on signatures contributed by Mike Iglesias.
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-BOMB
SIGNATURE=T D A S 50 30 6667 BACKDOOR:IRC-JOIN-LASTIMEZ join/20/23bomb/0a
DESCRIPTION=Signature to try to catch IRC startup with a bomb botnet.
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-GENERAL-E
SIGNATURE=T D A S 50 30 6667 BACKDOOR:IRC-JOIN-GENERAL-E join , general/2de
DESCRIPTION=Signature to try to catch IRC startup with a lastimez botnet.  Based on information contributed by Mike Iglesias.
MODIFIED=Y
DISABLED=N

NAME=WORM:SARA2003-JOIN
SIGNATURE=T D A S 5 0 6667 WORM:SARA2003-JOIN join/20/23xcnicxxcncx
DESCRIPTION=A worm has been identified which spreads by socially engineering victims in IRC channels into opening .scr files (executables).  The worm joins a control channel, currently #xcnicxxcncx, and awaits instruction to launch DDoS attacks, etc.  This signature attempts to catch the worm joining its control channel.  This might easily be changed in a new release of the worm.
URLREF=https://marc.theaimsgroup.com/?l=full-disclosure&m=106956790815079&w=2
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-EDU
SIGNATURE=T D A S 5 0 6667 BACKDOOR:IRC-JOIN-EDU join/20/23edu
DESCRIPTION=A common backdoor registers itself with IRC servers (mybitch.ioi.net, hub.rofl.org, or others) in the channel '#edu'.  There it awaits instructions on systems to scan, exploits to launch (such as LSASS), etc.  This signature detects outbound connections from compromised machines attempting to register themselves on that IRC channel.  This might easily be changed in a new release of the worm.
MODIFIED=Y
DISABLED=N

NAME=BACKDOOR:IRC-JOIN-BOT
SIGNATURE=T B A B 100 30 H BACKDOOR:IRC-JOIN-BOT JOIN/20/23bot/20c123
DESCRIPTION=A new backdoor found spreading since 2004-07-06 registers itself with IRC servers (63.214.57.133 and 209.254.89.184 on port 7000 so far) and joins the channel '#bot c123'.  Infected machines then receive instructions of other hosts to scan, etc.  This signature detects infected machines registering on the IRC bot network.  This might easily be changed in a new release of the worm.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=BACKDOOR:IRC-JOIN-EXPLOIT
SIGNATURE=T B A S 100 30 H BACKDOOR:IRC-JOIN-EXPLOIT join/20/23exploit
DESCRIPTION=Signature to try to catch IRC startup with a generic bot that join a channel called '#exploit'.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=BACKDOOR:IRC-JOIN-AMSEXY
SIGNATURE=T B A S 100 30 H BACKDOOR:IRC-JOIN-AMSEXY join/20/23amsexy
DESCRIPTION=Signature to try to catch IRC startup with a generic bot that join a channel called '#amsexy'.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=BACKDOOR:IRC-JOIN-RBOT
SIGNATURE=T B A S 100 30 H BACKDOOR:IRC-JOIN-RBOT join/20/23rbot
DESCRIPTION=Signature to try to catch IRC startup with a generic bot that join a channel called '#rbot'.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=BACKDOOR:IRC-JOIN-GB
SIGNATURE=T B A S 100 30 H BACKDOOR:IRC-JOIN-GB join/20/23gb
DESCRIPTION=Signature to try to catch IRC startup with a generic bot that join a channel called '#gb'.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=BACKDOOR:IRC-JOIN-MSN-JB
SIGNATURE=T D A S 50 40 6667 BACKDOOR:IRC-JOIN-MSN-JB join , /24msn/20jigaboo
DESCRIPTION=Signature to try to catch IRC startup with a generic bot that joins a channel called '#$msn'.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=BACKDOOR:IRC-DNS-LOOKUP
SIGNATURE=U D A S 10 100 53 BACKDOOR:IRC-DNS-LOOKUP element-is.ph33rl3ss.us
DESCRIPTION=Some worms contain a phone-home component which connects to an IRC server under the attacker's control.  The hostname of the IRC server is hard-coded in the worm, and it performs a DNS lookup to find which server to connect to--this allows the attacker to move the control node as old ones are discovered and shut down.  This signature detects lookups for one of those hostnaes used for a control node, element-is.ph33rl3ss.us.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=BACKDOOR:DNS-SLTCPB
SIGNATURE=U D A S 300 200 53 BACKDOOR:DNS-SLTCPB symantec/05loves/03the/04cock/05pheer/03biz
DESCRIPTION=Some worms contain a phone-home component which connects to an IRC server under the attacker's control.  The hostname of the IRC server is hard-coded in the worm, and it performs a DNS lookup to find which server to connect to--this allows the attacker to move the control node as old ones are discovered and shut down.  This signature detects lookups for one of those hostnames used for a control node, symantec.loves.the.cock.pheer.biz.
MODIFIED=Y
DISABLED=N
UPDATED=N

NAME=BACKDOOR:DNS-OGN
SIGNATURE=U D A S 300 200 53 BACKDOOR:DNS-OGN owjgp/08game2max/03net
DESCRIPTION=Some worms contain a phone-home component which connects to an IRC server under the attacker's control.  The hostname of the IRC server is hard-coded in the worm, and it performs a DNS lookup to find which server to connect to--this allows the attacker to move the control node as old ones are discovered and shut down.  This signature detects lookups for one of those hostnaes used for a control node, owjgp.game2max.net.
MODIFIED=Y
DISABLED=N
UPDATED=N