[Emerging-Sigs] ET USER_AGENTS - Casper RFI Bot Search

Mike Cox mike.cox52 at gmail.com
Thu Jul 8 10:37:50 EDT 2010

This is for a RFI scanner and bot dropper.  In the exploit attempt I
saw, it was trying to get the bot to communicate to irc.ownzirc.co.cc.
I've attached two perl based IRC bots, password on the .zip is
'casper'.  The User-Agent 'Casper Bot Search' was used.  Rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
USER_AGENTS Casper RFI Bot Search"; flow:established,to_server;
content:"|0D 0A|User-Agent\: Casper Bot Search|0D 0A|";
classtype:web-application-attack; sid:201xxxx; rev:1;)

-Mike Cox
-------------- next part --------------
A non-text attachment was scrubbed...
Name: casperbots.zip
Type: application/zip
Size: 46945 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20100708/4aa550f7/casperbots-0001.zip

More information about the Emerging-sigs mailing list