GROUP_NAME=IRCBACKDOOR GROUP_DESCRIPTION=This group contains custom IRC-backdoor-trojan Dragon NIDS signatures. These signatures detect the types of command strings, or phone-home reporting progress compromised machines, etc. NOTE they currently use port 6667, the default IRC port. It would be better to define a local COMPLEX port entry, such as 'I', which listed a wider range of ports commonly used by IRC servers, such as perhaps 6666-7000. # $Id: IRCBDCMDS.lib,v 1.2 2006/05/19 15:10:31 hlein Exp $ NAME=COMP:SDBOT-DOWNLOAD SIGNATURE=T D A B 300 0 6667 COMP:SDBOT-DOWNLOAD PRIVMSG/20/23 , /3A/21dl/20 DESCRIPTION=This signature was created based on a modified version of sdbot. Sdbot is a Windows backdoor which accepts commands via IRC. This is useful since an attacker can compromise several machines and control them all simultaneously via a single IRC channel. When combined with automated exploits packaged in auto-rooters, this makes it trivial for an attacker to amass a huge DDoS network. There are many different backdoors like this based on modified versions of sdbot. Most of them will allow for DDoS attacks, file downloading and executing, among other useful features for attackers. This signature triggers when an attacker orders a compromised machine (or machines) to download and run an arbitrary program (most often, an additional attack tool, worm, etc). The source of the alert is the controlling IRC server, and the destination is the compromised machine. MODIFIED=Y DISABLED=N UPDATED=N NAME=COMP:SDBOT-PINGFLOOD SIGNATURE=T D A B 300 0 6667 COMP:SDBOT-PINGFLOOD PRIVMSG/20/23 , /3A/21ping/20 DESCRIPTION=This signature was created based on a modified version of sdbot. Sdbot is a Windows backdoor which accepts commands via IRC. This is useful since an attacker can compromise several machines and control them all simultaneously via a single IRC channel. When combined with automated exploits packaged in auto-rooters, this makes it trivial for an attacker to amass a huge DDoS network. There are many different backdoors like this based on modified versions of sdbot. Most of them will allow for DDoS attacks, file downloading and executing, among other useful features for attackers. This signature triggers when an attacker orders a compromised machine (or machines) to launch a ping flood against a designated target. The source of the alert is the controlling IRC server, and the destination is the compromised machine. The payload will look like 'PRIVMSG #[channelname] :!ping [targetaddress] [packetcount] [packetsize] [timeout]'. MODIFIED=Y DISABLED=N UPDATED=N NAME=COMP:SDBOT-EXECUTE SIGNATURE=T S A B 300 200 6667 COMP:SDBOT-EXECUTE PRIVMSG/20/23 , /3Aopened/20*/3A/5C DESCRIPTION=This signature was created based on a modified version of sdbot. Sdbot is a Windows backdoor which accepts commands via IRC. This is useful since an attacker can compromise several machines and control them all simultaneously via a single IRC channel. When combined with automated exploits packaged in auto-rooters, this makes it trivial for an attacker to amass a huge DDoS network. There are many different backdoors like this based on modified versions of sdbot. Most of them will allow for DDoS attacks, file downloading and executing, among other useful features for attackers. This signature triggers when a compromised machine executes an arbitrary program (most often, an additional attack tool, worm, etc) which it has been ordered to download and run. The source of the alert is the compromised machine, and the destination is the IRC server it has registered to. MODIFIED=Y DISABLED=N UPDATED=N NAME=WORM:ARGOBOT-IRC SIGNATURE=T D A S 5 0 7000 WORM:ARGOBOT-IRC weednet DESCRIPTION=An Argobot variant is spreading rapidly which opens a backdoor connection to an IRC server on port 7000 controlled by the attackers. This signature detects compromised workstations registering themselves with one of these IRC servers. EVENTGROUP=COMPROMISE URL=http://marc.theaimsgroup.com/?l=full-disclosure&m=108287841712436&w=2 MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-EXPLOITING SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-EXPLOITING privmsg/20/23 , exploiti DESCRIPTION=Signature to catch botnet clients talking to master. Based on signatures contributed by Mike Iglesias. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-LSASS SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-LSASS privmsg/20/23 , lsass DESCRIPTION=Signature to catch botnet clients talking to master. Based on signatures contributed by Mike Iglesias. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-FTP SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-FTP privmsg/20/23 , ftp DESCRIPTION=Signature to catch botnet clients talking to master. Based on signatures contributed by Mike Iglesias. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-EXE SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-FTP privmsg/20/23 , /2eexe DESCRIPTION=Signature to catch botnet clients talking to master. Based on signatures contributed by Mike Iglesias. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-SCAN SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-SCAN privmsg/20/23 , scan DESCRIPTION=Signature to catch botnet clients talking to master. Based on signatures contributed by Mike Iglesias. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-SENDFILE SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-SENDFILE privmsg/20/23 , sendfile DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-SYSTEM32 SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-SYSTEM32 privmsg/20/23 , system32 DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-SHELL SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-SHELL privmsg/20/23 , shell DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-KEYLOG SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-KEYLOG privmsg/20/23 , keylog DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-KEYLOG-RETURN SIGNATURE=T D A S 50 400 6667 BACKDOOR:IRC-KEYLOG-RETURN privmsg/20/23 , /28return/29 DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-KEYLOG-WINCH SIGNATURE=T D A S 50 400 6667 BACKDOOR:IRC-KEYLOG-WINCH privmsg/20/23 , /28changed/20window/29 DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-ADMINISTRATOR SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-ADMINISTRATOR privmsg/20/23 , administrator DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-OPENED-C SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-OPENED-C privmsg/20/23 , opened/3a/20c/3a/5c DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-OPENED-D SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-OPENED-C privmsg/20/23 , opened/3a/20d/3a/5c DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-PING SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-PING privmsg/20/23 , /5bping/5d DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N NAME=BACKDOOR:IRC-GBDASH SIGNATURE=T D A S 50 200 6667 BACKDOOR:IRC-GBDASH privmsg/20/23gb/2d DESCRIPTION=Signature to catch botnet clients talking to master. MODIFIED=Y DISABLED=N