alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET TROJAN IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:55:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET TROJAN IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; content:!"twitch.tv|0d 0a|"; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:16;)

Added 2017-04-19 17:17:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"ET TROJAN IRC Nick change on non-standard port"; flow:to_server,established; dsize:<64; content:"NICK "; depth:5; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:15;)

Added 2011-10-21 14:50:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow:to_server,established; dsize:<64; content:"NICK "; nocase; depth:5; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; classtype:trojan-activity; sid:2000345; rev:10;)

Added 2011-10-12 19:09:33 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow:to_server,established; dsize:<64; content:"NICK "; nocase; depth:5; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; sid:2000345; rev:10;)

Added 2011-09-15 14:46:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow:to_server,established; dsize:<64; content:"NICK "; nocase; depth:5; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; sid:2000345; rev:10;)

Added 2011-09-14 20:34:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow:to_server,established; dsize:<64; content:"NICK "; nocase; depth:5; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000345; rev:10;)

Added 2011-08-09 06:32:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow:to_server,established; dsize:<64; content:"NICK "; nocase; depth:5; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000345; rev:10;)

Added 2011-08-08 21:58:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg:"ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000345; rev:9;)

Added 2011-02-04 17:21:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000345; rev:8;)

Added 2010-06-23 13:46:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid:2000345; rev:8;)

Added 2010-06-23 13:46:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000345; rev:8;)

Added 2010-06-15 13:15:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "ET ATTACK_RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000345; rev:8;)

Added 2010-06-15 13:15:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "ET ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000345; rev:7;)

Added 2009-02-06 19:00:55 UTC

Falses on ustreamer which runs IRC over port 80 as their c&c mode:

17:24:13.187769 IP 10.110.30.21.2724 > 216.52.240.144.80: P 2421079002:2421079023(21) ack 3473931982 win 65535
        0x0000:  4500 003d afa6 4000 7b06 5ecc 0a6e 1e15  E..=..@.{.^..n..
        0x0010:  d834 f090 0aa4 0050 904e bbda cf0f fece  .4.....P.N......
        0x0020:  5018 ffff 9736 0000 4e49 434b 2075 7374  P....6..NICK.ust
        0x0030:  7265 616d 6572 2d36 3636 360d 0a         reamer-6666..
17:24:13.188228 IP 10.110.30.21.2724 > 216.52.240.144.80: R 2421079023:2421079023(0) win 0
        0x0000:  4500 0028 02f2 0000 2f06 9796 0a6e 1e15  E..(..../....n..
        0x0010:  d834 f090 0aa4 0050 904e bbef 0000 0000  .4.....P.N......
        0x0020:  5004 0000 6766 0000 0000 0000 0000       P...gf........
17:24:19.671541 IP 10.110.30.21.2739 > 216.52.240.144.80: P 4021842901:4021842923(22) ack 3183332983 win 65535
        0x0000:  4500 003e b071 4000 7b06 5e00 0a6e 1e15  E..>.q@.{.^..n..
        0x0010:  d834 f090 0ab3 0050 efb8 73d5 bdbd ce77  .4.....P..s....w
        0x0020:  5018 ffff c23b 0000 4e49 434b 2075 7374  P....;..NICK.ust
        0x0030:  7265 616d 6572 2d36 3335 3533 0d0a       reamer-63553..
17:24:19.671782 IP 10.110.30.21.2739 > 216.52.240.144.80: R 4021842923:4021842923(0) win 0
        0x0000:  4500 0028 02f2 0000 2f06 9796 0a6e 1e15  E..(..../....n..
        0x0010:  d834 f090 0ab3 0050 efb8 73eb 0000 0000  .4.....P..s.....
        0x0020:  5004 0000 4ff1 0000 0000 0000 0000       P...O.........
17:24:26.143066 IP 10.110.30.21.2746 > 216.52.240.144.80: P 2569124906:2569124928(22) ack 438083916 win 65535
        0x0000:  4500 003e b0f4 4000 7b06 5d7d 0a6e 1e15  E..>..@.{.]}.n..
        0x0010:  d834 f090 0aba 0050 9921 bc2a 1a1c a14c  .4.....P.!.*...L
        0x0020:  5018 ffff 993c 0000 4e49 434b 2075 7374  P....<..NICK.ust
        0x0030:  7265 616d 6572 2d38 3838 3835 0d0a       reamer-88885..
17:24:26.143304 IP 10.110.30.21.2746 > 216.52.240.144.80: R 2569124928:2569124928(0) win 0
        0x0000:  4500 0028 02f2 0000 2f06 9796 0a6e 1e15  E..(..../....n..
        0x0010:  d834 f090 0aba 0050 9921 bc40 0000 0000  .4.....P.!.@....
        0x0020:  5004 0000 5e2c 0000 0000 0000 0000       P...^,........
17:24:32.610343 IP 10.110.30.21.2756 > 216.52.240.144.80: P 742167960:742167982(22) ack 3268285764 win 65535
        0x0000:  4500 003e b187 4000 7b06 5cea 0a6e 1e15  E..>..@.{.\..n..
        0x0010:  d834 f090 0ac4 0050 2c3c 9598 c2ce 1544  .4.....P,<.....D
        0x0020:  5018 ffff 11fd 0000 4e49 434b 2075 7374  P.......NICK.ust
        0x0030:  7265 616d 6572 2d37 3639 3838 0d0a       reamer-76988..
17:24:32.610629 IP 10.110.30.21.2756 > 216.52.240.144.80: R 742167982:742167982(0) win 0
        0x0000:  4500 0028 02f2 0000 2f06 9796 0a6e 1e15  E..(..../....n..
        0x0010:  d834 f090 0ac4 0050 2c3c 95ae 0000 0000  .4.....P,<......
        0x0020:  5004 0000 f199 0000 0000 0000 0000       P.............
17:24:39.085058 IP 10.110.30.21.2762 > 216.52.240.144.80: P 1580855704:1580855726(22) ack 332730429 win 65535
        0x0000:  4500 003e b1f1 4000 7b06 5c80 0a6e 1e15  E..>..@.{.\..n..
        0x0010:  d834 f090 0aca 0050 5e39 f198 13d5 103d  .4.....P^9.....=
        0x0020:  5018 ffff 4101 0000 4e49 434b 2075 7374  P...A...NICK.ust
        0x0030:  7265 616d 6572 2d38 3338 3231 0d0a       reamer-83821..
17:24:39.085291 IP 10.110.30.21.2762 > 216.52.240.144.80: R 1580855726:1580855726(0) win 0
        0x0000:  4500 0028 02f2 0000 2f06 9796 0a6e 1e15  E..(..../....n..
        0x0010:  d834 f090 0aca 0050 5e39 f1ae 0000 0000  .4.....P^9......
        0x0020:  5004 0000 6396 0000 0000 0000 0000       P...c.........
the IRC traffic looks like this:
NICK ustreamer-2642
NICK ustreamer-77262
NICK ustreamer-49669
NICK ustreamer-53855
NICK ustreamer-98129
NICK ustreamer-27076
NICK ustreamer-17804
NICK ustreamer-23501
JOIN #fuego-cruzado
 Access to this server is a privilege, not a right. We reserve
:chat04.ustream.tv 372 ustreamer-68940 :- - - the right to remove anyone from the server at any time.
:chat04.ustream.tv 372 ustreamer-68940 :- -
:chat04.ustream.tv 372 ustreamer-68940 :- - *** Chat ***
:chat04.ustream.tv 372 ustreamer-68940 :- -
:chat04.ustream.tv 372 ustreamer-68940 :- - - #Help - Official Ustream Community Help!
:chat04.ustream.tv 372 ustreamer-68940 :- -
:chat04.ustream.tv 372 ustreamer-68940 :- - - #Ustream.tv - Official Ustream Community Chat!
:chat04.ustream.tv 372 ustreamer-68940 :- -
:chat04.ustream.tv 372 ustreamer-68940 :- - - Feel free to join a room for discussion by typing: /list
:chat04.ustream.tv 372 ustreamer-68940 :- -
:chat04.ustream.tv 372 ustreamer-68940 :- - Thanks,
:chat04.ustream.tv 372 ustreamer-68940 :- - Network Staff
:chat04.ustream.tv 376 ustreamer-68940 :End of /MOTD command.
:ustreamer-68940 MODE ustreamer-68940 :+wx
:ustreamer-68940!ustreamer-@8BE4E95B.4EBE5DFE.7153C51F.IP JOIN :#fuego-cruzado
:chat04.ustream.tv 353 ustreamer-68940 = #fuego-cruzado :ustreamer-68940 ustreamer-57643 ustreamer-31232 &Ustream-Bot ustreamer-46069 ustreamer-93222 ustreamer-69998 ustreamer-17961 ustreamer-15186 ustreamer-32627 ustreamer-67822 ustreamer-38775 ustreamer-3896 ustreamer-74521 +leonmayor ustreamer-99107 ustreamer-48360 ustreamer-29782 ustreamer-2290 ustreamer-64369 ustreamer-82733 ustreamer-39719 ustreamer-421 ustreamer-49494 ustreamer-82583 ustreamer-32839
:chat04.ustream.tv 353 ustreamer-68940 = #fuego-cruzado :ustreamer-3945 ustreamer-44937 ustreamer-88480 ustreamer-61577 ustreamer-5068 ustreamer-18729 ustreamer-31924 ustreamer-65001 +miyamotosatoshi ustreamer-74561 ustreamer-10503 ustreamer-23499 ustreamer-90851 ustreamer-52346 ustreamer-70516 ustreamer-15008
:chat04.ustream.tv 366 ustreamer-68940 #fuego-cruzado :End of /NAMES list.
MODE #fuego-cruzado
NICK ustreamer-8002
NICK ustreamer-96425
NICK ustreamer-43852

-- JackPepper - 26 May 2010

That would be a true positive, not a false positive. But interesting nonetheless.

-- MattJonkman - 26 May 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "ET ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/ATTACK_RESPONSE/ATTACK_RESPONSE_Non-Standard_IRC; sid: 2000345; rev:7;)

Added 2009-02-06 19:00:55 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "ET ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; sid: 2000345; rev:6;)

Added 2008-01-23 10:46:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "ET ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; sid: 2000345; rev:6;)

Added 2008-01-23 10:46:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; sid: 2000345; rev:5; )



Topic revision: r4 - 2013-06-13 - MikeHerman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats