[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents

Kevin Ross kevross33 at googlemail.com
Mon Oct 11 17:08:40 EDT 2010


ok typo in references, sorry about that. For the latter I would say
verification of the actual infection though another sig could be written for
User-Agent|3A| !|20| within 1 sort of thing. Though you are right in that
one sig one detect this though whether it could be specific to this
infection is another question (I am not sure). Really up to everyone. These
sigs do already exist for this, just trying to detect more of the
communications by user agent.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Avzhan
DDOS Bot Outbound Hardcoded Malformed GET Request Denial Of Service Attack
Detected"; flow:established,to_server; content:"GET
^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase;
threshold:type limit, count 1, seconds 60, track by_src;
classtype:trojan-activity; reference:url,
asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/;
sid:2011585; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN
Avzhan DDOS Bot Inbound Hardcoded Malformed GET Request Denial Of Service
Attack Detected"; flow:established,to_server; content:"GET
^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm"; depth:49; nocase;
threshold:type limit, count 1, seconds 60, track by_src;
classtype:attempted-dos; reference:url,
asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/;
sid:2011767; rev:2;)


On 11 October 2010 22:02, evilghost at packetmail.net <evilghost at packetmail.net
> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Two issues, one you have http:// in the fireeye references.  Two, why
> not just a single signature (untested/unverified):
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent";
> flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header;
> classtype:trojan-activity;
> reference:url,
> blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html
> ;
> reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan;
> sid:2010xxx; rev:1;)
>
> Flip as necessary for your Inbound one.  Don't really see the need for
> all these signatures or the need for the PCRE.
>
> - -evilghost
>
> On 10/11/2010 03:55 PM, Kevin Ross wrote:
> > For the Windows NT ones I used PCRE but with no whitespace after the
> > User-Agent|3A| which is quite specific and abnormal and the Windows NT
> > it should help limit any actualy PCRE checks. Kev
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Avzhan DDOS
> > Bot Fake Windows NT User-Agent Observed Outbound";
> > flow:established,to_server; content:"User-Agent|3A|Mozilla/4.0
> > (compatible|3B| MSIE"; nocase; http_header; content:"Windows NT";
> > nocase; http_header;
> > pcre:"/\x0D\x0AUser-Agent\x3AMozilla/4\x2E0\x20\x28compatible\x3B
> > MSIE.+Windows NT.+(\x28SV1|5\x2E1\x3B SV1|MyIE 3\x2E01)/i";
> > classtype:trojan-activity;
> > reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
> > <
> http://asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
> >;
> > reference:url,
> http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html
> ;
> > sid:1340001; rev:1;)
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Avzhan
> > DDOS Bot Fake Windows NT User-Agent Observed Inbound";
> > flow:established,to_server; content:"User-Agent|3A|Mozilla/4.0
> > (compatible|3B| MSIE"; nocase; http_header; content:"Windows NT";
> > nocase; http_header;
> > pcre:"/\x0D\x0AUser-Agent\x3AMozilla/4\x2E0\x20\x28compatible\x3B
> > MSIE.+Windows NT.+(SV1|5\x2E1\x3B SV1|MyIE 3\x2E01)/i";
> > classtype:trojan-activity;
> > reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
> > <
> http://asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
> >;
> > reference:url,
> http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html
> ;
> > sid:1340002; rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Avzhan DDOS
> > Bot Fake Linux User-Agent Observed Outbound";
> > flow:established,to_server; content:"User-Agent|3A|Mozilla/5.0 (X11|3B|
> > U|3B| Linux i686|3B| en-US|3B| re|3A|1.4.0) Gecko/20080808 Firefox";
> > http_header; nocase; classtype:trojan-activity;
> > reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
> > <
> http://asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
> >;
> > reference:url,
> http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html
> ;
> > sid:1340003; rev:1;)
> >
> > alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Avzhan
> > DDOS Bot Fake Linux User-Agent Observed Inbound";
> > flow:established,to_server; content:"User-Agent|3A|Mozilla/5.0 (X11|3B|
> > U|3B| Linux i686|3B| en-US|3B| re|3A|1.4.0) Gecko/20080808 Firefox";
> > http_header; nocase; classtype:trojan-activity;
> > reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
> > <
> http://asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/
> >;
> > reference:url,
> http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html
> ;
> > sid:1340004; rev:1;)
> >
> >
> >
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> >
> > Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> >
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iQIcBAEBAgAGBQJMs3t3AAoJENgimYXu6xOHcsIQAJAaJsjltbnBymIKpbo15gKQ
> KHU79eYY4OzjxZ7uZeNJayXFR2KC8Jw17jaMcVwkhJ79W+u7whA2ULIqqkF6VndE
> sdLd497oWRezGqqU97MJtblq8/v/3tBHjqvpHBFHUHnh+MYyM+c4cv4UQUBPYkqP
> OnSOIBCbl00PwrfkjymO86VxjczCVhYVpDqtVqQzniFNfeOKACyHdOOXyjd7VbDX
> UGLcbGLXjRSc9DhEi9rD6zNp6NDfKCY86qrm2hoAH+3mC+G8+28v09TjL6lOx+65
> mNhYw4DjIIRl0oMhz+DVwYJFXeyviicF9cju0Cuhr39x+lqaT20+5Np4KDCvMddM
> zZhBM7XBa7fm+2ANT/OH1UqJjc5HymErW6dnRF2cSk1jQdASIZSs0EfY8hS+fKBr
> VWqOqHB2pz6IrODZXZ6ivtzu3+k0iTg7iKmp0SK/gJs07cNnk6h9vb6SiWowJFyO
> PMVV/SO3Y/zD6raMEDmVuEb2mgB5Ot9NmqNY/QXeET48NZ9GffCfbOaDGGh/ag3S
> E+NXv30nRNxl1J88b9UhMAc2KMSTpAWCrR+JmFWsk6Dm15CU1zmE/52bq1Tc2Eoc
> t8VqoBib4M3DCAhqVipk4c+oXCcP/nY6WE5s1N4NJerkr63c+X10pVn2v6IqrBVy
> jmklecHqMAfUjZkiV/1T
> =8BW8
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101011/7883e566/attachment.html


More information about the Emerging-sigs mailing list