[Emerging-Sigs] SIGS: Linux/ShellshockCampaign.DDOSBot

Kevin Ross kevross33 at googlemail.com
Sat Sep 27 09:58:44 EDT 2014


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot Reporting IP"; flow:established,to_server;
dsize:<24; content:"My IP|3A| "; depth:7;
pcre:"/My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A/";
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239911; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC Server Message";
flow:established,to_client; dsize:13; content:"! GETLOCALIP|0A|"; depth:13;
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239912; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message";
flow:established,to_client; dsize:7; content:"! PING|0A|"; depth:7;
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239913; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message";
flow:established,to_client; dsize:12><15; content:"! SCANNER "; depth:9;
pcre:"/\x21\x20SCANNER\x20(ON|OFF)\x0A/"; classtype:trojan-activity;
reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239914; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot Execute Shell Command CnC Server Message";
flow:established,to_client; content:"! SH"; depth:4;
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239915; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message";
flow:established,to_client; content:"! JUNK "; depth:7;
pcre:"/\x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/";
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239916; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot UDP Flood CnC Server Message";
flow:established,to_client; content:"! UDP "; depth:6;
pcre:"/\x21\x20UDP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/";
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239917; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot TCP Flood CnC Server Message";
flow:established,to_client; content:"! TCP "; depth:6;
pcre:"/\x21\x20TCP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/";
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239918; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood CnC Server Message";
flow:established,to_client; content:"! HOLD "; depth:6;
pcre:"/\x21\x20HOLD\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/";
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239919; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message";
flow:established,to_client; dsize:11; content:"! KILLATTK|0A|"; depth:11;
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239920; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message";
flow:established,to_client; dsize:12; content:"! LOLNOGTFO|0A|"; depth:12;
classtype:trojan-activity; reference:url,
research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
reference:cve,2014-6271; sid:1239921; rev:1;)

Kind Regards,
Kevin Ross
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140927/108fa605/attachment-0001.html>


More information about the Emerging-sigs mailing list