Educause Security Discussion mailing list archives

Identifying Gaobot/Korgo Botnet Drones

From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Sun, 11 Jul 2004 09:21:07 -0500

Howdy Folks --

From what I see in IRC, the Gaobot/Korgo botnets continue

to be a pervasive problem for many HigherED institutions; 
more so for the DSL/Cablemodem ISPs.  Several related variants 
have common signatures (various private message commands) that 
can applied to an IDS (eg. Snort) to allow for quick detection
-- for now at least.

So, here are a few Snort rules that you might consider applying. 
Please note that these rules could generate a very small number 
of false positives, but they are few and far between on our network:

alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG"; 
nocase:; content:"Exploit"; nocase:; within:80; tag:session, 20, 
packets; msg:"Possible RogueIRC 03"; classtype:trojan-activity; 
sid:1000168; rev:6;) 

alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG"; 
nocase:; content:"lsass"; nocase:; within:80; tag:session, 20, 
packets; msg:"Possible RogueIRC 04"; classtype:trojan-activity; 
sid:1000168; rev:6;) 

alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG"; 
nocase:; content:"ftp"; nocase:; within:80; tag:session, 20, 
packets; msg:"Possible RogueIRC 05"; classtype:trojan-activity; 
sid:1000168; rev:6;) 

alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG"; 
nocase:; content:"Scan"; nocase:; within:80; tag:session, 20, 
packets; msg:"Possible RogueIRC 06"; classtype:trojan-activity; 
sid:1000168; rev:6;) 

Please let me know if you have any other PRIVMSG rules 
or if you just want to comment on the effectiveness of
these four rules.

Hope this information is helpful.

~cam.

Cam Beasley
Sr. InfoSec Analyst
Information Security Office
The University of Texas at Austin
cam () austin utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
- 512.475.9242
---------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Identifying Gaobot/Korgo Botnet Drones Cam Beasley, ISO (Jul 11)
- <Possible follow-ups>
- Re: Identifying Gaobot/Korgo Botnet Drones Adam Goldstein (Jul 13)