Re: Phatbot Trojan/Worm Detection

derwalke · ‎03-18-2004

This trojan / worm was discovered on the 15th and has a high exploitation potential. Its details are summarized and our coverage is outlined here:

http://www.cisco.com/cgi-bin/front.x/csec/view.pl?VID=3913

Derek

rmulyadi · ‎03-18-2004

I am trying to convert this two snort signature into cisco ids sigs. since this is my first time using the custom signature function, can someone helps me out here, especially the regular expression part?

Snort Sig 1.

alert tcp any any -> any any (msg:"Agobot/Phatbot Infection

Successful"; flow:established; content:"221 Goodbye, have a good

infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity;

reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)

Cisco Sig 1.

SIGID: 20006

SubSig: 0 default: 0

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: medium default: medium

AlarmThrottle: Summarize

AlarmTraits:

CapturePacket: True default: False

ChokeThreshold:

Direction: ToService default: ToService

Enabled: True

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength: 40

MaxTTL:

MinHits: 1

MinMatchLength:

Protocol: TCP default: TCP

RegexString: 221 Goodbye\, have a good infection

ResetAfterIdle: 15

ServicePorts: 0-65535

SigComment:

SigName: Agobot/Phatbot Infection Successful default: STRING.TCP

SigStringInfo:

SigVersion:

StorageKey: STREAM

StripTelnetOptions:

SummaryKey: Axxx

ThrottleInterval: 15

WantFrag:

Snort Sig 2:

alert tcp any any -> any any (msg:"Phatbot P2P Control Connection";

flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15;

classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html;

sid:1000076; rev:1;)

Cisco Sig 2.

SIGID: 20007

SubSig: 1 default: 0

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: medium

AlarmThrottle: Summarize

AlarmTraits:

CapturePacket: True default: False

ChokeThreshold:

Direction: ToService

Enabled: True

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits: 1

MinMatchLength:

Protocol: TCP

RegexString: Wonk-.*waste

ResetAfterIdle: 15

ServicePorts: 0-65535

SigComment:

SigName: Phatbot P2P Control Connection default: STRING.TCP

SigStringInfo:

SigVersion:

StorageKey: STREAM

StripTelnetOptions:

SummaryKey: Axxx

ThrottleInterval: 15

WantFrag:

mcerha · ‎03-22-2004

Here is a translation of the regexes that should work:

1)

content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"

221 Goodbye,[ ]have a good[ ]infection[ ]\x3a\x29\x2e\x0d\x0a

2)

content:"Wonk-"; content:"|00|#waste|00|"

Wonk-.*\x00[#]waste\x00

Note: A word of caution about the ServicePorts parameters. Setting them to all TCP ports like the Snort signature is likely to cause a fairly negative performance impact on your sensor. One possible way to lessen the impact would be to use the ATOMIC.TCP engine instead of STRING.TCP. Just substitute the SinglePacketRegex parameter for RegexString, and set the following:

TcpFlags PSH|ACK

Mask ACK

This causes alittle less overhead in your signatures, but it is also going to cause a significant load on your sensor. It is best to limit the port range if you can.

rmulyadi · ‎03-22-2004

I just tried it, but it seems to crash the sensor. It has been processing the config for more than 2 hours.