#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:55:47 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:17;)

Added 2011-10-23 20:31:07 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC Potential bot command response"; flow:established,to_server; content:"PRIVMSG "; fast_pattern:only; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:16;)

Added 2011-10-21 14:50:57 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG|20|"; nocase; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; reference:url,doc.emergingthreats.net/2002033; classtype:trojan-activity; sid:2002033; rev:15;)

Added 2011-10-12 19:11:11 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG|20|"; nocase; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; sid:2002033; rev:15;)

Added 2011-09-14 21:12:49 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG|20|"; nocase; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002033; rev:15;)

Added 2011-02-04 17:21:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG|20|"; nocase; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002033; rev:15;)

Added 2010-07-26 13:31:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG|20|"; nocase; depth:8; content:"|3a|"; within:30; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002033; rev:15;)

Added 2010-07-26 13:31:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002033; rev:14;)

Added 2010-06-28 22:46:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002033; rev:14;)

Added 2010-06-28 22:46:58 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002033; rev:14;)

Added 2009-02-13 19:15:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002033; rev:14;)

Added 2009-02-13 19:15:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; sid: 2002033; rev:13;)

Added 2008-08-27 11:15:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; sid: 2002033; rev:13;)

Added 2008-08-27 11:15:21 UTC


alert tcp any any -> any any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; sid: 2002033; rev:12;)

Added 2008-03-09 19:05:29 UTC


alert tcp any any -> any any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; sid: 2002033; rev:12;)

Added 2008-03-09 19:05:29 UTC


alert tcp any any -> any any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002033; rev:11;)

Added 2008-01-31 10:12:23 UTC


alert tcp any any -> any any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002033; rev:11;)

Added 2008-01-31 10:12:23 UTC


alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002033; rev:10;)

Added 2007-07-26 01:00:50 UTC


alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002033; rev:9; )

Added 2007-07-10 00:15:57 UTC


alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002033; rev:8; )

Added 2007-03-15 12:15:20 UTC

Update from Reg Quinton:

We caught this one >

> >> 03/14-17:27:01.820972 129.97.xx.xx:1030 -> 89.248.xx.xx:7545
> >> TCP TTL:125 TOS:0x0 ID:136 IpLen:20 DgmLen:169 DF
> >> ***AP*** Seq: 0xB366AECC  Ack: 0x1AABD917  Win: 0x804D  TcpLen: 20
> >> 50 52 49 56 4D 53 47 20 23 23 64 65 68 20 3A 5B  PRIVMSG ##deh :[
> >> 5A 59 53 43 41 4E 5D 3A 20 52 61 6E 64 6F 6D 20  ZYSCAN]: Random
> >> 53 70 72 65 61 64 69 6E 67 20 53 74 61 72 74 69  Spreading Starti
> >> 6E 67 20 6F 6E 20 31 32 39 2E 78 2E 78 2E 78 3A  ng on 129.x.x.x:
> >> 31 34 33 33 20 77 69 74 68 20 61 20 64 65 6C 61  1433 with a dela
> >> 79 20 6F 66 20 35 20 73 65 63 6F 6E 64 73 20 66  y of 5 seconds f
> >> 6F 72 20 30 20 6D 69 6E 75 74 65 73 20 75 73 69  or 0 minutes usi
> >> 6E 67 20 31 35 30 20 74 68 72 65 61 64 73 2E 0D  ng 150 threads..
> >> 0A 

Added Spreading to the pcre

Thanks Reg!

-- MattJonkman - 15 Mar 2007


alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random Scanner|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)/i"; flowbits: set,trojan; classtype: trojan-activity; sid: 2002033; rev:7; )



Topic revision: r2 - 2007-03-15 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats