[Emerging-Sigs] SIGS: Linux/ShellshockCampaign.DDOSBot

Darien Huss dhuss at emergingthreats.net
Mon Sep 29 10:59:53 EDT 2014


Thanks Kevin, we'll get these into QA today!

Regards,
Darien

On Sat, Sep 27, 2014 at 9:58 AM, Kevin Ross <kevross33 at googlemail.com>
wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot Reporting IP"; flow:established,to_server;
> dsize:<24; content:"My IP|3A| "; depth:7;
> pcre:"/My\x20IP\x3A\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x0A/";
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239911; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot Get Bot IP CnC Server Message";
> flow:established,to_client; dsize:13; content:"! GETLOCALIP|0A|"; depth:13;
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239912; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot Ping CnC Server Message";
> flow:established,to_client; dsize:7; content:"! PING|0A|"; depth:7;
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239913; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot Scanner CnC Server Message";
> flow:established,to_client; dsize:12><15; content:"! SCANNER "; depth:9;
> pcre:"/\x21\x20SCANNER\x20(ON|OFF)\x0A/"; classtype:trojan-activity;
> reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239914; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot Execute Shell Command CnC Server Message";
> flow:established,to_client; content:"! SH"; depth:4;
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239915; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot Random Byte Flood CnC Server Message";
> flow:established,to_client; content:"! JUNK "; depth:7;
> pcre:"/\x21\x20JUNK\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/";
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239916; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot UDP Flood CnC Server Message";
> flow:established,to_client; content:"! UDP "; depth:6;
> pcre:"/\x21\x20UDP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/";
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239917; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot TCP Flood CnC Server Message";
> flow:established,to_client; content:"! TCP "; depth:6;
> pcre:"/\x21\x20TCP\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/";
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239918; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot HOLD TCP Flood CnC Server Message";
> flow:established,to_client; content:"! HOLD "; depth:6;
> pcre:"/\x21\x20HOLD\x20\d{1,3}\x2E\d{1,3}\x2E\d{1,3}\x2E\d{1,3}/";
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239919; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot Kill Attack CnC Server Message";
> flow:established,to_client; dsize:11; content:"! KILLATTK|0A|"; depth:11;
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239920; rev:1;)
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN
> Linux/ShellshockCampaign.DDOSBot Terminate Process CnC Server Message";
> flow:established,to_client; dsize:12; content:"! LOLNOGTFO|0A|"; depth:12;
> classtype:trojan-activity; reference:url,
> research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html;
> reference:cve,2014-6271; sid:1239921; rev:1;)
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140929/25842f42/attachment.html>


More information about the Emerging-sigs mailing list