""ET TROJAN IRC potential reptile commands""

SID: 2002363

Revision: 15

Class Type: trojan-activity

Metadata: created_at 2010_07_30, updated_at 2011_10_21

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: any

Destination Network: $HOME_NET

Destination Port: any

Flow: established,from_server

Contents:

• Value: "PRIVMSG|20|" Depth: 8

• Value: "|3a|"

Within: 30

PCRE: "/.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s[\n\r])/i"

Special Options:

source