Educause Security Discussion mailing list archives

Re: Identifying Gaobot/Korgo Botnet Drones

From: Adam Goldstein <adam.goldstein () VILLANOVA EDU>
Date: Tue, 13 Jul 2004 11:12:46 -0400

Cam Beasley, ISO wrote:

Howdy Folks --

From what I see in IRC, the Gaobot/Korgo botnets continue
to be a pervasive problem for many HigherED institutions;
more so for the DSL/Cablemodem ISPs.  Several related variants
have common signatures (various private message commands) that
can applied to an IDS (eg. Snort) to allow for quick detection
-- for now at least.

So, here are a few Snort rules that you might consider applying.
Please note that these rules could generate a very small number
of false positives, but they are few and far between on our network:

alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG";
nocase:; content:"Exploit"; nocase:; within:80; tag:session, 20,
packets; msg:"Possible RogueIRC 03"; classtype:trojan-activity;
sid:1000168; rev:6;)

alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG";
nocase:; content:"lsass"; nocase:; within:80; tag:session, 20,
packets; msg:"Possible RogueIRC 04"; classtype:trojan-activity;
sid:1000168; rev:6;)

alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG";
nocase:; content:"ftp"; nocase:; within:80; tag:session, 20,
packets; msg:"Possible RogueIRC 05"; classtype:trojan-activity;
sid:1000168; rev:6;)

alert tcp $HOME_NET !21:443 -> any 6000:7000 (content:"PRIVMSG";
nocase:; content:"Scan"; nocase:; within:80; tag:session, 20,
packets; msg:"Possible RogueIRC 06"; classtype:trojan-activity;
sid:1000168; rev:6;)

Please let me know if you have any other PRIVMSG rules
or if you just want to comment on the effectiveness of
these four rules.

Hope this information is helpful.

~cam.

Cam Beasley
Sr. InfoSec Analyst
Information Security Office
The University of Texas at Austin
cam () austin utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
- 512.475.9242
---------------------------

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

FYI, we picked up some very aggressive DDOS activity being launched via
IRC bots connecting to servers on port 44444.  These signatures will
work for them if the ports are changed.

Adam

--
Adam Goldstein CCNP CISSP
Villanova University
adam.goldstein () villanova edu
--

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Identifying Gaobot/Korgo Botnet Drones Cam Beasley, ISO (Jul 11)
- <Possible follow-ups>
- Re: Identifying Gaobot/Korgo Botnet Drones Adam Goldstein (Jul 13)