alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=./P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:17; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:00:56 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=./P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:14;)

Added 2012-06-22 00:48:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:13;)

Added 2012-03-16 17:30:49 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:12;)

Added 2011-10-31 17:03:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:11;)

Added 2011-10-12 19:23:35 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; sid:2007668; rev:11;)

Added 2011-09-14 22:37:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2007668; rev:11;)

Added 2011-02-04 17:26:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2007668; rev:4;)

Added 2009-02-12 18:21:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2007668; rev:4;)

Added 2009-02-12 18:21:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; sid:2007668; rev:3;)

Added 2008-01-31 10:12:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; sid:2007668; rev:3;)

Added 2008-01-31 10:12:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; sid:2007668; rev:2;)

Added 2007-11-12 05:01:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; sid:2007668; rev:2;)

Added 2007-11-12 05:01:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<300; content:"|0d 0a|Cache-Control\: no-cache|0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; sid:2007668; rev:1;)

Added 2007-11-07 00:46:20 UTC

Jose Nazario, the resident genius at Arbor Networks, has a very well done writeup for the Blackenergy bots.

http://asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available/

This is a tough one to sig and keep the load down, so please report issues and falses.

-- MattJonkman - 07 Nov 2007


Topic revision: r2 - 2007-11-07 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats