Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
246
Views
0
Helpful
2
Replies

Creating beast signature

garyprice
Level 1
Level 1

‎12-19-2003 07:22 AM - edited ‎03-09-2019 05:56 AM

I would like to create a custom signature to identify this backdoor. I am using CISCO k9-4235's and am at the latest on all apps S63............

Beast2.05

from -SANS-

http://isc.sans.org/diary.html?date=2003-12-15

The default listen port is 6666 and the port for its outbound connections is 9999. The 'server' calls itself svchost.exe. It can be remotely controlled either in a listening mode or in a "reverse mode". In the reverse mode once installed it connects to a server. Many firewalls allow connections from the inside of the network outbound in such a network "The Beast" can by pass the firewall by opening the outbound connection to its server.

Any help would be appreciated!

Gary Price

Labels:
0 Helpful
2 Replies 2

anthall
Level 1
Level 1

‎12-19-2003 12:00 PM

You can use the 9xxx and 92xx series signatures as a template for your custom signature. I would write on of each for port 6666 and 9999.

-Tony

0 Helpful

garyprice
Level 1
Level 1
In response to anthall

‎12-30-2003 11:55 AM

Interesting traffic. I didn't find any for the beast(TCP6666->TCP9999). But i have seen tons of traffic to and from a CounterStrike server in Germany. Seems it initiates a client session using port 9999......Sig is working great.....

gp

0 Helpful
Customers Also Viewed These Support Documents