[Emerging-Sigs] ET DROP Known Bot C&C Server Traffic --> 216.8.177.23

Matt Jonkman jonkman at jonkmans.com
Fri Jul 11 16:55:05 EDT 2008 

Arthur Boos Jr wrote:
>     Thanks for the answers!  Yes, I run a few more AV online,
> but nothing was detected. With tons of domains resolving to
> that IP, it's possible trigger the rule just loading a malitious
> page.

Ya, the idea behind those signatures though is that we've found these to 
be good ONLY for bad things. So normally a non-bad workstation should 
have absolutely no reason to initiate a connection to the bad IP.

Sure, you'll trigger it by probing that IP, but you know you're doing 
that. :)

  I've found one, when I was googling. Usually, a infected
> computer try to conect to a C&C server at a regular basis,
> am I right ? But the mostly of my systems triggered that sid just
> once (or twice, in one ocasion), so there isn't much traffic
> to see.

Yes, generally they are rather regular. The HTTP based stuff especially 
will go right after boot, and after trigger events. Try rebooting them 
and track everything it does before the user even touches it.

  Perhaps monitoring the DNS queries I can find something
> interesting... Any other ideas ?

Reboot especially. Then have the user surf to a few online banking 
websites and do a login with made-up credentials. Things like that that 
ought to trigger a pass stealer to phone home with info.

If you can run a tcpdump on it and let it sit overnight. See who it 
talks to over time.

Matt

> 
> PS: Nice that whitelist solution!
> 
>     Regards,
> 
> Arthur
> UFRGS - BR
> Universidade Federal do Rio Grande do Sul
> 
> Philipp Bescht escreveu:
>> Apart from freenode ips, there are also other big irc networks
>> included, for example:
>>
>> tux at notebook ~ $ for i in `dig +short irc.undernet.org`; do if
>> [ "$(grep $i emerging-botcc.rules)" ]; then if [ ! "$(grep $i
>> emerging-botcc.excluded)" ]; then echo "$i"; fi; fi; done
>> 64.18.128.86
>> 66.186.59.50
>> 69.16.172.40
>> 161.53.178.240
>> 193.109.122.67
>> 195.47.220.2
>> 208.83.20.130
>> 217.168.95.245
>> 38.114.116.5
>>
>> Same for dal.net, quakenet and others.
>> Sorry, just found out about the .excluded file. Wonder why i havent
>> seen it before :D
>>
>> Regards,
>> Philipp
>>
>>
>>
>>
>> On Fri, 11 Jul 2008 07:45:24 -0400
>> Matt Jonkman <jonkman at jonkmans.com> wrote:
>>
>>> Added those, thanks Philipp.
>>>
>>> Matt
>>>
>>> Philipp Bescht wrote:
>>>> Hi Matt,
>>>>
>>>> Regarding the False Positives on freenode servers:
>>>>
>>>> philipp at desktop ~/et-rules $ for i in `dig +short
>>>> irc.freenode.org`; do l=$(grep $i emerging-botcc.rules); if
>>>> [[ $l ]]; then echo `echo $l | cut -d ';' -f 5` $i; fi; done | sort
>>>> sid:2404000 130.239.18.172
>>>> sid:2404000 140.211.166.3
>>>> sid:2404000 154.35.200.44
>>>> sid:2404002 204.11.244.21
>>>> sid:2404003 207.158.1.150
>>>> sid:2404004 209.177.146.34
>>>> sid:2404006 216.155.130.130
>>>> sid:2404008 64.161.254.20
>>>> sid:2404020 89.16.176.16
>>>>
>>>>
>>>> Regards,
>>>> Philipp
>>>>
>>>>
>>>>
>>>> On Thu, 10 Jul 2008 17:46:51 -0400
>>>> Matt Jonkman <jonkman at jonkmans.com> wrote:
>>>>
>>>>> Ya, we do auto update that from shadowserver. I was trying to
>>>>> whitelist the freenode servers. If anyone happens to notice one in
>>>>> there I haven't whitelisted please let me know.
>>>>>
>>>>> But ya, this is definitely a bad IP.
>>>>>
>>>>> Matt
>>>>>
>>>>> Philipp Bescht wrote:
>>>>>> Hello Arthur,
>>>>>>
>>>>>> I am getting false positives on this sid too, mostly because of
>>>>>> irc traffic to irc.freenode.org. I think this list is being
>>>>>> automatically compiled from the shadowserver archives, so if there
>>>>>> is a botnet c&c channel on freenode for example, the whole IP is
>>>>>> being considered 'dangerous'.
>>>>>>
>>>>>> But when looking at the list of domains resolving to the IP you
>>>>>> mentioned, there definetly is something suspicious about that:
>>>>>> http://www.robtex.com/ip/216.8.177.23.html
>>>>>>
>>>>>> I would take a closer look at the system(s) on your network
>>>>>> causing this traffic :)
>>>>>>
>>>>>> Regards,
>>>>>> Philipp
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Thu, 10 Jul 2008 12:27:26 -0300
>>>>>> Arthur Boos Jr <boos at cpd.ufrgs.br> wrote:
>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>>    Since some weeks ago, we started getting many hits on rule
>>>>>>> "ET DROP Known Bot C&C Server Traffic (group 7)" (SID 2404006),
>>>>>>> with traffic going to 216.8.177.23 (ports 25, 80 and 443).
>>>>>>> The related packet is:
>>>>>>>
>>>>>>> 07/01/08-20:56:55.976724 XXX.XXX.XX.XX:2561 -> 216.8.177.23:80
>>>>>>> TCP TTL:127 TOS:0x0 ID:35416 IpLen:20 DgmLen:48 DF
>>>>>>> ******S* Seq: 0x74043F2B  Ack: 0x0  Win: 0xFFFF  TcpLen: 28
>>>>>>> TCP Options (4) => MSS: 1460 NOP NOP SackOK
>>>>>>>
>>>>>>>    I run some antivirus online on a few machines, but I could
>>>>>>> not detect any bot infection. Has anyone got false positives
>>>>>>> on events hiting that rule ?
>>>>>>>
>>>>>>>    Thanks,
>>>>>>>
>>>>>>> Arthur
>>>>>>> UFRGS - BR
>>>>>>> Universidade Federal do Rio Grande do Sul
>>>>>>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list