Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Phatbot Trojan/Worm Detection

This trojan / worm was discovered on the 15th and has a high exploitation potential. Its details are summarized and our coverage is outlined here:

http://www.cisco.com/cgi-bin/front.x/csec/view.pl?VID=3913

Derek

3 REPLIES
New Member

Re: Phatbot Trojan/Worm Detection

I am trying to convert this two snort signature into cisco ids sigs. since this is my first time using the custom signature function, can someone helps me out here, especially the regular expression part?

Snort Sig 1.

alert tcp any any -> any any (msg:"Agobot/Phatbot Infection

Successful"; flow:established; content:"221 Goodbye, have a good

infection |3a 29 2e 0d 0a|"; dsize:40; classtype:trojan-activity;

reference:url,www.lurhq.com/phatbot.html; sid:1000075; rev:1;)

Cisco Sig 1.

SIGID: 20006

SubSig: 0 default: 0

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: medium default: medium

AlarmThrottle: Summarize

AlarmTraits:

CapturePacket: True default: False

ChokeThreshold:

Direction: ToService default: ToService

Enabled: True

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength: 40

MaxTTL:

MinHits: 1

MinMatchLength:

Protocol: TCP default: TCP

RegexString: 221 Goodbye\, have a good infection

ResetAfterIdle: 15

ServicePorts: 0-65535

SigComment:

SigName: Agobot/Phatbot Infection Successful default: STRING.TCP

SigStringInfo:

SigVersion:

StorageKey: STREAM

StripTelnetOptions:

SummaryKey: Axxx

ThrottleInterval: 15

WantFrag:

Snort Sig 2:

alert tcp any any -> any any (msg:"Phatbot P2P Control Connection";

flow:established; content:"Wonk-"; content:"|00|#waste|00|"; within:15;

classtype:trojan-activity; reference:url,www.lurhq.com/phatbot.html;

sid:1000076; rev:1;)

Cisco Sig 2.

SIGID: 20007

SubSig: 1 default: 0

AlarmDelayTimer:

AlarmInterval:

AlarmSeverity: medium

AlarmThrottle: Summarize

AlarmTraits:

CapturePacket: True default: False

ChokeThreshold:

Direction: ToService

Enabled: True

EndMatchOffset:

EventAction:

FlipAddr:

MaxInspectLength:

MaxTTL:

MinHits: 1

MinMatchLength:

Protocol: TCP

RegexString: Wonk-.*waste

ResetAfterIdle: 15

ServicePorts: 0-65535

SigComment:

SigName: Phatbot P2P Control Connection default: STRING.TCP

SigStringInfo:

SigVersion:

StorageKey: STREAM

StripTelnetOptions:

SummaryKey: Axxx

ThrottleInterval: 15

WantFrag:

Bronze

Re: Phatbot Trojan/Worm Detection

Here is a translation of the regexes that should work:

1)

content:"221 Goodbye, have a good infection |3a 29 2e 0d 0a|"

221 Goodbye,[ ]have a good[ ]infection[ ]\x3a\x29\x2e\x0d\x0a

2)

content:"Wonk-"; content:"|00|#waste|00|"

Wonk-.*\x00[#]waste\x00

Note: A word of caution about the ServicePorts parameters. Setting them to all TCP ports like the Snort signature is likely to cause a fairly negative performance impact on your sensor. One possible way to lessen the impact would be to use the ATOMIC.TCP engine instead of STRING.TCP. Just substitute the SinglePacketRegex parameter for RegexString, and set the following:

TcpFlags PSH|ACK

Mask ACK

This causes alittle less overhead in your signatures, but it is also going to cause a significant load on your sensor. It is best to limit the port range if you can.

New Member

Re: Phatbot Trojan/Worm Detection

I just tried it, but it seems to crash the sensor. It has been processing the config for more than 2 hours.

500
Views
0
Helpful
3
Replies