################################################################## ## Malware Threat Center (mtc.sri.com) - Mon Oct 5 08:44:07 2009 ## SRI International ## The data on this website is the product of ongoing research ## and is for your personal use only. It is supplied AS IS, ## WITHOUT WARRANTY OF ANY KIND. Use or reliance on this data ## is at your own risk. ################################################################## # -- Inbound Exploit, Inbound: 1057 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 90 90 90 90 90 90 90 90 90|"; classtype:shellcode-detect; sid:299913; rev:1;) # -- Egg Download, Inbound: 1033 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BotHunter Malware Windows executable (PE) sent from remote host"; content: "MZ"; content: "PE|00 00|"; within:250; flow: established; sid:5001684; rev:99;) # -- Egg Download, Inbound: 1029 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET !20 -> $HOME_NET any (msg:"E3[rb] BLEEDING-EDGE Malware Windows executable sent from remote host"; content: "MZ"; content: "This program cannot be run in DOS mode"; flow: established; sid:2001683; rev:3;) # -- Outbound Scan, Outbound: 666 of 2008, from 09/01 to 10/04 alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"E5[rb] REGISTERED FREE ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:52123; rev:3;) # -- Inbound Exploit, Inbound: 605 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:299998; rev:1;) # -- Inbound Exploit, Inbound: 605 of 2008, from 09/01 to 10/04 alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"E2[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:21390; rev:5;) # -- Inbound Exploit, Inbound: 568 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E2[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:22466; rev:7;) # -- Egg Download, Inbound: 545 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E3[rb] BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".exe"; nocase; classtype: misc-activity; sid:3000006; rev:99; ) # -- Egg Download, Outbound: 533 of 2008, from 09/01 to 10/04 alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] TFTP GET .exe from external source"; content:"|00 01|"; depth:2; content:".exe"; offset:2; nocase; classtype:successful-admin; sid:3001441; rev:1;) # -- Egg Download, Outbound: 533 of 2008, from 09/01 to 10/04 alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] TFTP GET from external source"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;) # -- Egg Download, Outbound: 533 of 2008, from 09/01 to 10/04 alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"E3[rb] ET POLICY Outbound TFTP Read Request"; content:"|00 01|"; depth:2; classtype:bad-unknown; sid:2008120; rev:1;) # -- Egg Download, Outbound: 397 of 2008, from 09/01 to 10/04 alert tcp $HOME_NET 1028:1040 -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"GET"; content: "HTTP"; content: ".exe"; depth: 300; classtype: misc-activity; sid:3000003; rev:99; ) # -- Inbound Exploit, Inbound: 376 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|"; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:292000032; rev:99; ) # -- Inbound Exploit, Inbound: 375 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:22000032; rev:6; ) # -- Egg Download, Inbound: 339 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET 1030:1040 (msg: "E3[rb] BotHunter HTTP-based .exe Upload on backdoor port"; content:"Content-Type\: application/x-exe"; depth: 300; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:3000000; rev:99; ) # -- Inbound, Inbound: 278 of 2008, from 09/01 to 10/04 alert ip [50.0.0.0/8,100.0.0.0/6,104.0.0.0/5,112.0.0.0/6,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any (msg:"ET POLICY Reserved IP Space Traffic - Bogon Nets 2"; classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:10;) # -- Local Attack Prep, Outbound: 247 of 2008, from 09/01 to 10/04 alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "E6[rb] ET ATTACK RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; tag: session,300,seconds; classtype: policy-violation; sid: 2000352; rev:6;) # -- Inbound Exploit, Inbound: 234 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg: "E2[rb] NETBIOS SMB-DS Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:23003; rev:4;) # -- C&C Channel, Inbound: 201 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET POLICY IRC authorization message"; flow: established; content:"NOTICE AUTH"; content:"Looking up your hostname..."; nocase; classtype: misc-activity; sid: 2000355; rev:4;) # -- C&C Channel, Inbound: 181 of 2008, from 09/01 to 10/04 alert ip [58.65.233.0/24,58.65.239.66/31,65.99.192.0/20,65.254.48.0/20,66.232.96.0/19,66.252.0.0/19,69.50.160.0/19,81.94.16.0/20,81.95.128.0/19,85.249.23.0/24,85.255.112.0/24,85.255.116.0/24,85.255.121.0/24,88.201.208.0/20,194.146.204.0/22,194.226.64.0/20,194.226.96.0/24,195.114.16.0/23,195.64.140.0/23,195.64.162.0/23,208.72.160.0/20] any -> $HOME_NET any (msg:"E4[rb] ET rbN Known Russian Business Network Traffic - Hosting Nets"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold:type limit, track by_src, seconds 60, count 1; sid:2406000; rev:7;) # -- C&C Channel, Inbound: 181 of 2008, from 09/01 to 10/04 alert ip [65.254.54.178,65.99.192.0/20,66.152.85.101,66.152.85.110,66.152.85.116,66.152.85.123,66.232.96.0/19,66.244.254.0/24,66.252.0.0/19,66.252.1.255] any -> $HOME_NET any (msg:"E4[rb] ET RBN Known Russian Business Network Monitored Domains (15)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2406019; rev:43;) # -- Egg Download, Inbound: 147 of 2008, from 09/10 to 09/30 alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"E3[rb] ET ATTACK RESPONSE Unusual FTP Server Banner on High Port (StnyFtpd)"; flow:established,from_server; dsize:<30; content:"220 StnyFtpd"; depth:12; offset:0; nocase; classtype:trojan-activity; tag:session; sid:2007726; rev:2;) # -- C&C Channel, Outbound: 143 of 2008, from 09/01 to 10/04 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E4[rb] ET WORM Korgo.U Reporting"; flow: to_server,established; uricontent:"/index.php?id="; nocase; uricontent:"cnt="; nocase; uricontent:"&scn="; nocase; uricontent:"&inf="; nocase; uricontent:"&ver="; nocase; reference:url,www.f-secure.com/v-descs/korgo_u.shtml; classtype: trojan-activity; sid: 2003070; rev:4;) # -- Egg Download, Outbound: 120 of 2008, from 09/01 to 10/04 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "E3[rb] BotHunter Scrip-based Windows egg download .exe"; content:"get"; content: "echo"; content: ".exe"; depth: 200; classtype: misc-activity; sid:31000004; rev:99; ) # -- C&C Channel, Outbound: 70 of 2008, from 09/01 to 10/04 alert tcp $HOME_NET any -> $EXTERNAL_NET 65520 (msg:"E4[rb] ET TROJAN W32.Virut.A joining an IRC Channel"; flow:established,to_server; content:"JOIN &virtu"; classtype:trojan-activity; reference:url,www.bitcrank.net; sid:2003603; rev:2;) # -- Egg Download, Inbound: 65 of 2008, from 09/01 to 09/04 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E3[rb] BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".exe"; nocase; classtype: misc-activity; sid:32000004; rev:99; ) # -- C&C Channel, Inbound: 59 of 2008, from 09/01 to 10/03 alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "E4[rb] ET ATTACK RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"\:"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; sid: 2000346; rev:7;) # -- Outbound, Outbound: 49 of 2008, from 09/01 to 09/27 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; sid:2008124; rev:1;) # -- C&C Channel, Inbound: 44 of 2008, from 09/01 to 09/30 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET POLICY IRC connection"; flow: established; content:"Welcome to the "; content:"IRC Network"; nocase; classtype: misc-activity; sid: 2000356; rev:4;) # -- Egg Download, Inbound: 36 of 2008, from 09/01 to 10/01 alert tcp $EXTERNAL_NET !20 -> $HOME_NET !25 (msg:"E3[rb] ET POLICY PE EXE Install Windows file download"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program must be "; distance: 0; isdataat: 140,relative; content:"PE"; distance: 0; flowbits:set,BE.http.binary; reference:url,www.program-transformation.org/Transform/PcExeFormat; classtype: misc-activity; sid: 2000427; rev:9;) # -- Egg Download, Inbound: 23 of 2008, from 09/02 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET 9996 (msg:"E3[rb] ET WORM Sasser Transfer _up.exe"; flow: established,to_server; content:"|5F75702E657865|"; depth: 250; classtype: misc-activity; reference:url,vil.mcafeesecurity.com/vil/content/Print125009.htm; sid:2000047; rev:4;) # -- Outbound, Outbound: 23 of 2008, from 09/03 to 10/04 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Partner Install"; flow: established,to_server; uricontent:"/inst.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; sid: 2001894; rev:5;) # -- Inbound Exploit, Inbound: 22 of 2008, from 09/02 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "E2[rb] BLEEDING-EDGE VIRUS W32/Sasser.worm.b -NAI-)"; flow: established; content:"|58 BC 0C FF 59 57 32 31 BD EC 34 64 6E D6 E3 8D 65 04 68 58 62 79 DF D8 2C 25 6A B5 28 BA 13 74|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html; classtype: misc-activity; sid:22001056; rev:5; ) # -- Egg Download, Inbound: 19 of 2008, from 09/01 to 09/10 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E3[rb] BotHunter MALWARE executable upload"; flow:established,to_server; content:"ftp"; content: "echo"; content: ".com"; nocase; classtype: misc-activity; sid:3000007; rev:99; ) # -- Inbound Exploit, Inbound: 17 of 2008, from 09/01 to 10/03 alert tcp $EXTERNAL_NET any -> $HOME_NET [135:139,445,1025] (msg:"E2[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:299906; rev:1;) # -- C&C Channel, Inbound: 15 of 2008, from 09/01 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET TROJAN BOT - channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow: to_client,established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within: 40; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; classtype: trojan-activity; sid: 2002029; rev:7;) # -- Outbound Scan, Outbound: 11 of 2008, from 09/03 to 10/04 alert tcp $HOME_NET any -> any 445 (msg: "E5[rb] BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 70 , seconds 60; classtype: misc-activity; sid:2001569; rev:11; ) # -- C&C Channel, Inbound: 11 of 2008, from 09/24 to 09/27 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "E4[rb] BLEEDING-EDGE WORM RXBOT / rbOT Vulnerability Scan"; flow: established; flowbits:isset,is_proto_irc; content:"|2E|advscan|20|"; nocase; reference:url,www.nitroguard.com/rxbot.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_rbOT.GL; reference:url,www.muzzleflash.org/readarticle.php?article_id=5#scanning; classtype: trojan-activity; sid:2001184; rev:5; ) # -- C&C Channel, Outbound: 10 of 2008, from 09/01 to 10/02 alert ip $HOME_NET any -> [66.45.234.200,66.54.153.162,66.63.172.154,66.7.192.11,66.90.99.148,66.96.240.201,67.106.205.73,67.109.160.112,67.118.192.228,67.132.247.119,67.159.0.243,67.159.0.251,67.159.0.254,67.159.17.231,67.159.24.190,67.159.26.180,67.18.136.5,67.18.176.176,67.18.176.40,67.18.208.91,67.18.208.96,67.19.130.66,67.19.147.202,67.19.184.20,67.19.238.44,67.19.246.130,67.19.50.66,67.19.93.226,67.205.77.231,67.210.225.202,67.220.66.105,67.225.131.201,67.228.103.248,67.228.162.65,67.228.42.241,67.228.99.245,67.43.226.186,67.43.229.46,67.43.232.34,67.43.232.35,67.43.232.36,67.43.232.37,67.43.232.38,67.43.233.64,67.43.235.214,67.43.236.106,67.43.236.66,67.43.236.67,67.43.236.68,67.43.236.69,67.43.237.230,67.80.40.117,68.186.222.72,68.43.158.36,68.44.4.190,68.75.207.189,68.84.56.61,69.107.7.194,69.14.233.99,69.142.26.223] any (msg:"E4[rb] ET DROP Known Bot C&C Server Traffic (group 12) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404011; rev:1142;) # -- C&C Channel, Inbound: 6 of 2008, from 09/06 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] COMMUNITY BOT GTBot scan command"; flow: established; flowbits:isset,is_proto_irc; content:"scan"; pcre:"/[^a-zA-Z0-9\x3A\s]scan/"; classtype: trojan-activity; sid:100000274; rev:2;) # -- Egg Download, Outbound: 5 of 2008, from 09/09 to 09/29 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"E3[rb] ET POLICY ICQ Install Direct download - Not normal mode of install"; flow:established,to_server; uricontent:"/pub/ICQ_Win95_98_NT4/"; nocase; classtype: policy-violation; sid:2002986; rev:2;) # -- C&C Channel, Inbound: 5 of 2008, from 09/01 to 09/19 alert ip [67.19.24.172,67.19.24.173,67.19.24.174,67.19.24.175,67.19.51.0/24,67.19.72.202,67.19.72.205,67.19.72.206,67.43.236.0/24,67.55.64.0/19] any -> $HOME_NET any (msg:"E4[rb] ET rbN Known Russian Business Network Monitored Domains (17)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2406021; rev:43;) # -- C&C Channel, Outbound: 5 of 2008, from 09/02 to 10/02 alert ip $HOME_NET any -> [69.60.110.195,69.61.67.10,69.63.215.163,69.64.35.127,69.64.39.194,69.64.39.201,69.64.39.202,69.64.40.83,69.64.47.44,69.64.48.105,69.64.48.65,69.64.51.176,69.64.51.225,69.64.59.238,69.65.97.206,69.93.184.186,69.93.229.206,69.93.9.12,70.101.149.111,70.168.231.17,70.84.72.111,70.84.72.115,70.85.129.195,70.85.129.223,70.85.174.226,70.85.222.107,70.85.31.213,70.87.44.114,71.114.216.227,71.216.87.193,71.6.216.17,71.6.216.18,71.6.216.26,71.6.216.33,71.6.216.6,71.6.216.66,71.6.216.67,71.6.216.75,71.87.221.229,71.98.250.72,72.10.163.130,72.10.163.194,72.10.163.252,72.10.172.210,72.10.172.211,72.10.172.212,72.10.172.213,72.10.172.214,72.10.172.218,72.11.142.40,72.131.59.27,72.174.8.243,72.20.1.162,72.20.14.161,72.20.14.162,72.20.15.196,72.20.15.208,72.20.15.219,72.20.15.222,72.20.15.224] any (msg:"E4[rb] ET DROP Known Bot C&C Server Traffic (group 14) "; reference:url,www.shadowserver.org; threshold: type limit, track by_src, seconds 3600, count 1; classtype:trojan-activity; sid:2404013; rev:1142;) # -- C&C Channel, Inbound: 4 of 2008, from 09/06 to 10/04 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E4[rb] ET TROJAN BOT - potential scan/exploit command"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn1))/i"; classtype: trojan-activity; sid: 2002030; rev:10;) # -- Inbound Exploit, Inbound: 2 of 2008, from 09/01 to 09/01 alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"E2[rb] ET EXPLOIT NETBIOS SMB DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; sid:2003081; rev:3;) # -- C&C Channel, Inbound: 2 of 2008, from 09/03 to 09/12 alert ip [81.95.149.171,81.95.149.178,81.95.149.181,81.95.149.27,81.95.153.243,81.95.154.41,81.95.156.0/22,82.114.64.251,82.146.56.140,82.98.86.170] any -> $HOME_NET any (msg:"E4[rb] ET rbN Known Russian Business Network Monitored Domains (28)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2406032; rev:43;) # -- Outbound Scan, Outbound: 2 of 2008, from 09/01 to 09/08 alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "E5[rb] BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|3131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:52000032; rev:6; ) # -- Outbound Scan, Outbound: 2 of 2008, from 09/01 to 09/08 alert tcp $HOME_NET any -> $EXTERNAL_NET [135:139,445,1025] (msg:"E5[rb] SHELLCODE x86 0x90 unicode NOOP"; content:"|90 90 90 90 90 90 90 90 90 90|"; classtype:shellcode-detect; sid:599913; rev:1;) # -- Outbound Scan, Outbound: 2 of 2008, from 09/01 to 09/08 alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "E5[rb] BotHunter EXPLOIT LSA exploit"; content:"|3131313131313131313131313131313131313131313131|"; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid:592000032; rev:99; ) # -- Outbound Scan, Outbound: 2 of 2008, from 09/01 to 09/08 alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"E5[rb] NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:52466; rev:7;) # -- Outbound, Outbound: 1 of 2008, from 09/29 to 09/29 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User Agent (Microsoft Internet Explorer)"; flow: to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Microsoft Internet Explorer/i"; content:!"microsoft.com"; nocase; content:!"www.vmware.com"; nocase; content:!"msn.com"; nocase; content:!".live.com"; nocase; threshold:type limit, track by_src, count 2, seconds 360; reference:url,www.topinstalls.com; classtype:trojan-activity; sid:2002400; rev:12;) # -- C&C Channel, Inbound: 1 of 2008, from 09/03 to 09/03 alert ip [193.93.232.6,193.93.235.5,194.110.69.0/24,194.126.174.124,194.146.204.0/22,194.226.64.0/20,194.226.96.0/24,194.67.0.0/18,194.67.27.115,194.67.27.125] any -> $HOME_NET any (msg:"E4[rb] ET RBN Known Russian Business Network Monitored Domains (2)"; reference:url,doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork; threshold: type limit, track by_src, seconds 60, count 1; classtype:misc-attack; sid:2406006; rev:43;) # -- Outbound Scan, Outbound: 1 of 2008, from 09/29 to 09/29 alert ip $HOME_NET $SHELLCODE_PORTS -> $EXTERNAL_NET any (msg:"E5[rb] REGISTERED FREE SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:51390; rev:5;) # -- Outbound Scan, Outbound: 1 of 2008, from 09/29 to 09/29 alert tcp $HOME_NET any -> $EXTERNAL_NET [135:139,445,1025] (msg:"E5[rb] SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:599998; rev:1;) # -- Inbound Exploit, Inbound: 1 of 2008, from 09/25 to 09/25 alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"E2[rb] BLEEDING-EDGE EXPLOIT x86 PexFnstenvMov/Sub Encoder"; content:"|D9 EE D9 74 24 F4 5B 81 73 13|"; content:"|83 EB FC E2 F4|"; distance: 4; within: 5; classtype:shellcode-detect; sid:22002903; rev:1;) # -- Inbound Exploit, Inbound: 1 of 2008, from 09/15 to 09/15 alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"E2[rb] ET EXPLOIT NETBIOS SMB-DS DCERPC NetrpPathCanonicalize request (possible MS06-040)"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|25|"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00|"; within:9; distance:4; content:"|1f 00|"; distance:20; within:2; reference:url,www.microsoft.com/technet/security/bulletin/MS06-040.mspx; classtype:misc-attack; sid:2003082; rev:3;) # -- Outbound, Outbound: 1 of 2008, from 09/09 to 09/09 alert tcp any any -> any $HTTP_PORTS (msg:"ET BOTNET HTTP Botnet reg"; flow: established; uricontent:"/reg?u="; nocase; content:"&v="; nocase; within: 15; content:"&s="; nocase; within: 15; content:"&su="; nocase; within: 15; content:"&p="; nocase; within: 15; classtype: trojan-activity; reference:url,www.honeynet.org/papers/bots; sid: 2001899; rev:8;) # -- Inbound Exploit, Inbound: 1 of 2008, from 09/25 to 09/25 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"E2[rb] ET TROJAN Agobot-SDBot Commands"; flowbits:isset,is_proto_irc; flow:established; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; classtype: trojan-activity; sid:2003157; rev:3;) # -- Outbound, Outbound: 1 of 2008, from 09/09 to 09/09 alert tcp any any -> any $HTTP_PORTS (msg:"ET TROJAN Possible Bobax trojan infection"; flow: established,to_server; content:"GET /reg|3f|u="; depth: 11; content:"|26|v="; within: 3; distance: 8; reference:url,www.lurhq.com/bobax.html; classtype: trojan-activity; sid: 2001901; rev:4;)