Re: Best detection of Worm

[Nick Hatch <nick () restek wwu edu>]

We've been using the Bleedingsnort Rxbot specific rules with great success.

I wouldn't trust using DNS specific rules -- the variants of Rxbot I've 
seen use a variety of DNS servers. There are some Bleedingsnort rules to 
watch for the "infected" reports to the botnet DNS server.

Because Rbot also attempts to infect other machines, watching for the 
infection attempts with generalized threshold rules is a strategy we use 
to track down infected machine. See the recent thread "TCP sweeps" for a 
discussion of some of these rules.

Hope that helps, we've been using Snort to track down Rbot for quite a 
while.

-Nick

Bristol, Gary L. wrote:
> We seem to be seeing an infection of the WORM_RBOT.TO worm, by 
> examination of the DNS logs, we'rd finding DNS lookups for the 
> Site  (gz.freetypers.us) that the worm then establishes an IRC 
> connection too.
>  
> What would be the best way to detect on this , an initial on the DNS 
> lookup and then a positive on the IRC Connection?
>
> http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.TO&VSect=T 
> <http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBOT.TO&VSect=T> 


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users