Re: Sig on psyBNC IRCproxy

Hey Reg, thanks for sending these over. There's one psybnc sig I'm aware
of in the snort gpl ruleset:

info.rules:alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO
psyBNC access"; flow:from_server,established;
content:"Welcome!psyBNC-e/Fy7hhKugOzQB+pC5nmwQ@xxxxxxxxxxxxxxxx"; 
classtype:bad-unknown; sid:493; rev:5;)

It sucks though. It's probably disabled in every install on the planet.
Yours are better. Let me digest them and post with references and such.

You happen to have a pcap?

I think we can probably go with high ports (>1024) for a dest.

Do the regular IRC on off ports sigs hit on these? Seems like they
would. I may be able to add these after those flowbits are set to
control load.

Matt

Reg Quinton wrote:
> Matt, we occassionally get compromises (often dumb passwords) where the
> attacker installs the psyBNC IRC proxy -- often connected to undernet.
> It's apparently pretty standard fair in the hacker community and a
> method for the bad guys to communicate but hide their location. The
> proxies we've seen has a welcome banner like this:
> 
> :Welcome!psyBNC-e/Fy7hhKugOzQB+pC5nmwQ@xxxxxxxxxxxxxxxx NOTICE * :psyBNC2.3.1
> 
> We have  a couple of sigs we use to detect that. You might want to
> include one, both, or perhaps some variation of your choosing:
> 
> # Watch for psyBNC servers
> 
> alert tcp $HOME_NET any -> any any (msg:"BLEEDING-UW Suspicious Welcome
> Banner o
> n Local Port"; flow:from_server,established; content:"\:Welcome!";
> offset:0; dep
> th:9; tag:session, 20, packets; classtype:non-standard-protocol;
> sid:99990017;)
> 
> # Watch for lam3rz.de servers
> 
> alert tcp $HOME_NET any -> any any (msg:"BLEEDING-UW lam3rze Banner on
> Local Por
> t"; flow:from_server,established; content:"lam3rz"; offset:0; depth:80;
> tag:sess
> ion, 20, packets; classtype:non-standard-protocol;sid:99990023; rev:2;)
> 
> I suspect that the "lam3rz" tag is just one gang of bad guys (or perhaps
> a reference to the lame security were user "test" has password "test").I
> think the "Welcome" and "psyBNC" strings in the banner are enough.
> 
> For a reference we point people to this local document
> 
>   http://ist.uwaterloo.ca/security/vulnerable/20050705.shtml
> 
> But you might reference any of these instead (a quick google finds many,
> it's really old news but still happens):
> 
> http://www.honeynet.org/papers/phishing/details/de-detailed.html
> http://www.infosecwriters.com/texts.php?op=display&id=84
> http://www.ufsdump.org/labs/unix-forensics.html
> http://ieeexplore.ieee.org/iel5/8013/27717/01236244.pdf?arnumber=1236244

-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc