[Emerging-Sigs] SIGS: Avzhan DDOS Bot Fake User Agents

Will Metcalf william.metcalf at gmail.com
Tue Oct 12 18:47:23 EDT 2010


> ummm... then again... perhaps this bot is also behind an install of this proxy???

Nope the proxy is indeed broken.

Regards,

Will

On Tue, Oct 12, 2010 at 5:40 PM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/12/2010 18:02, Will Metcalf wrote:
>> Oh and btw the browsers that I thought were doing this yesterday were
>> all behind this proxy ;-).
>
> that does make a difference... maybe it is time to alert the proxy maintainer to
> the problem?
>
> ummm... then again... perhaps this bot is also behind an install of this proxy???
>
>>
>> Regards,
>>
>> Will
>>
>> On Tue, Oct 12, 2010 at 4:56 PM, Will Metcalf<william.metcalf at gmail.com>  wrote:
>>> I've seen one proxy do this.  I'm running through ALL of our pcaps to
>>> see what else I see but this takes time.  So perhaps we send it out as
>>> is and see what people report fp wise ;-)...
>>>
>>> Regards,
>>>
>>> Will
>>>
>>> On Tue, Oct 12, 2010 at 4:47 PM, Matthew Jonkman
>>> <jonkman at emergingthreatspro.com>  wrote:
>>>> What are people seeing/ Getting FPs?
>>>>
>>>> I'm not seeing any.
>>>>
>>>> Matt
>>>>
>>>> On Oct 12, 2010, at 2:47 PM, waldo kitty wrote:
>>>>
>>>>> On 10/11/2010 18:16, Will Metcalf wrote:
>>>>>>> alert tcp $HOME_NET any ->    $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>>>>>> USER_AGENTS Potential Avzhan DDOS Bot or abnormal User-Agent";
>>>>>>> flow:established,to_server; content:"User-Agent|3A|Mozilla"; http_header;
>>>>>>> classtype:trojan-activity;
>>>>>>> reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html;
>>>>>>> reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan;
>>>>>>> sid:2010xxx; rev:1;)
>>>>>>
>>>>>> Based on the sample datasets I have, I think this will fp a lot.
>>>>>> Looking at the traffic this sig trips on it seems there are some
>>>>>> lesser known valid browsers that will cause this to fire.
>>>>>
>>>>> that's not cool... is there a list of these browsers somewhere??
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list