Educause Security Discussion mailing list archives
Identifying Gaobot/Korgo Botnet Drones
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Sun, 11 Jul 2004 09:21:07 -0500
Howdy Folks --
From what I see in IRC, the Gaobot/Korgo botnets continue
to be a pervasive problem for many HigherED institutions; more so for the DSL/Cablemodem ISPs. Several related variants have common signatures (various private message commands) that can applied to an IDS (eg. Snort) to allow for quick detection -- for now at least. So, here are a few Snort rules that you might consider applying. Please note that these rules could generate a very small number of false positives, but they are few and far between on our network: alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG"; nocase:; content:"Exploit"; nocase:; within:80; tag:session, 20, packets; msg:"Possible RogueIRC 03"; classtype:trojan-activity; sid:1000168; rev:6;) alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG"; nocase:; content:"lsass"; nocase:; within:80; tag:session, 20, packets; msg:"Possible RogueIRC 04"; classtype:trojan-activity; sid:1000168; rev:6;) alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG"; nocase:; content:"ftp"; nocase:; within:80; tag:session, 20, packets; msg:"Possible RogueIRC 05"; classtype:trojan-activity; sid:1000168; rev:6;) alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG"; nocase:; content:"Scan"; nocase:; within:80; tag:session, 20, packets; msg:"Possible RogueIRC 06"; classtype:trojan-activity; sid:1000168; rev:6;) Please let me know if you have any other PRIVMSG rules or if you just want to comment on the effectiveness of these four rules. Hope this information is helpful. ~cam. Cam Beasley Sr. InfoSec Analyst Information Security Office The University of Texas at Austin cam () austin utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 --------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Identifying Gaobot/Korgo Botnet Drones Cam Beasley, ISO (Jul 11)
- <Possible follow-ups>
- Re: Identifying Gaobot/Korgo Botnet Drones Adam Goldstein (Jul 13)