[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents

Kevin Ross kevross33 at googlemail.com
Mon Oct 11 17:09:57 EDT 2010


differences in the user-agents, there are about 4 or 5 of them, focusing on
the common elements.

On 11 October 2010 22:00, Joel Esler <jesler at sourcefire.com> wrote:

> On the first two, why would you split the content into two?  That doesn't
> help anything.
>
>
> J
>
> On Oct 11, 2010, at 4:55 PM, Kevin Ross wrote:
>
> For the Windows NT ones I used PCRE but with no whitespace after the
> User-Agent|3A| which is quite specific and abnormal and the Windows NT it
> should help limit any actualy PCRE checks. Kev
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Avzhan DDOS Bot
> Fake Windows NT User-Agent Observed Outbound"; flow:established,to_server;
> content:"User-Agent|3A|Mozilla/4.0 (compatible|3B| MSIE"; nocase;
> http_header; content:"Windows NT"; nocase; http_header;
> pcre:"/\x0D\x0AUser-Agent\x3AMozilla/4\x2E0\x20\x28compatible\x3B
> MSIE.+Windows NT.+(\x28SV1|5\x2E1\x3B SV1|MyIE 3\x2E01)/i";
> classtype:trojan-activity; reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/;
> reference:url,
> http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html;
> sid:1340001; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Avzhan DDOS
> Bot Fake Windows NT User-Agent Observed Inbound";
> flow:established,to_server; content:"User-Agent|3A|Mozilla/4.0
> (compatible|3B| MSIE"; nocase; http_header; content:"Windows NT"; nocase;
> http_header;
> pcre:"/\x0D\x0AUser-Agent\x3AMozilla/4\x2E0\x20\x28compatible\x3B
> MSIE.+Windows NT.+(SV1|5\x2E1\x3B SV1|MyIE 3\x2E01)/i";
> classtype:trojan-activity; reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/;
> reference:url,
> http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html;
> sid:1340002; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Avzhan DDOS Bot
> Fake Linux User-Agent Observed Outbound"; flow:established,to_server;
> content:"User-Agent|3A|Mozilla/5.0 (X11|3B| U|3B| Linux i686|3B| en-US|3B|
> re|3A|1.4.0) Gecko/20080808 Firefox"; http_header; nocase;
> classtype:trojan-activity; reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/;
> reference:url,
> http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html;
> sid:1340003; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Avzhan DDOS
> Bot Fake Linux User-Agent Observed Inbound"; flow:established,to_server;
> content:"User-Agent|3A|Mozilla/5.0 (X11|3B| U|3B| Linux i686|3B| en-US|3B|
> re|3A|1.4.0) Gecko/20080808 Firefox"; http_header; nocase;
> classtype:trojan-activity; reference:url,
> asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/;
> reference:url,
> http://blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html;
> sid:1340004; rev:1;)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and
> Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>
>
> --
> Joel Esler
> 302-223-5974
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101011/e2d6a565/attachment-0001.html


More information about the Emerging-sigs mailing list