Tag Archives: Botnet

SUC019 : Suspicious Inbound AlphaServer UA

29/09/2010Opportunists, Use CasesBotnet, Spamwow

Use Case Reference : SUC019
Use Case Title : Suspicious Inbound AlphaServer UA
Use Case Detection : IDS / HTTP logs
Attacker Class : Opportunists / Targeting Opportunists
Attack Sophistication : Unsophisticated / Low
Identified tool(s) : Unknown
Source IP(s) : Random
Source Countries : Random
Source Port(s) : Random
Destination Port(s) : 80/TCP, 443/TCP

Possible(s) correlation(s) :

Web forums spam bot.

Source(s) :

Emerging Threats 2011517
Emerging Threats 2011518
Wikipedia Alphaserver
User-Agent Strings – MS IE – Full

Emerging Threats has release a two new SIGs 2011517“ET USER_AGENTS Suspicious Inbound AlphaServer UA” and 2011518“ET USER_AGENTS Suspicious Outbound AlphaServer UA” since 17 September 2010. These two new SIGs are focusing on suspicious user agents how shouldn’t being used by valid browsers today.

Emerging Threats SIG 2011517 create an alert if the user agent containing the string “Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)” is detected in an inbound destination of HTTP, or HTTPS. An alert will be sent on each occurrences.

Emerging Threats SIG 2011518 create an alert if the user agent containing the string “Mozilla/4.0 (compatible; MSIE 4.01; Digital AlphaServer 1000A 4/233; Windows NT; Powered By 64-Bit Alpha Processor)” is detected in an outbound destination of HTTP, or HTTPS. An alert will be sent on each occurrences.

The sources are focusing web forums, doing registration and thread post attempt in short interval of time, this time interval is not humanly possible, it is clearly a bot.

Example :

74.118.193.13 – United States – 18 events in 20 seconds.

GET /forum/ HTTP/1.0
GET /forum/index.php HTTP/1.0
GET /forum/index.php?act=Reg&CODE=00&coppa_pass=1 HTTP/1.0
POST /forum/index.php?act=Reg&coppa_user=&termsread=1&coppa_pass=1 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
Members Display Name : Andreww3
PassWord : AEpRfH9415
PassWord Check: AEpRfH9415
Email Address : [email protected]
Email Address two : [email protected]
GET /forum/index.php?act=Login&CODE=00 HTTP/1.0
POST /forum/index.php?act=Login&CODE=01 HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?showforum=34 HTTP/1.0
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
GET /forum/index.php?showforum=7 HTTP/1.0
GET /forum/index.php?showforum=7 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?showforum=19 HTTP/1.0
GET /forum/index.php?act=post&do=new_post&f=19 HTTP/1.0
POST /forum/index.php HTTP/1.0
UserName : Andreww3
PassWord : AEpRfH9415
GET /forum/index.php?act=post&do=new_post&f=34 HTTP/1.0

AlphaServer UA SIG 2011517 1 Week events activities

AlphaServer UA SIG 2011517 1 month events activities

1 Month TOP 10 source IPs for SIG 2011517

Webs.com Botnet Activities

07/09/2010Security visualization, VariousBotnetwow

Webs.com is a Web hoster how permit his users to create a personal, group, or small business website for free. Webs.com is also providing a free subdomain for each created account (ex : http://yourname.webs.com).

Since the start of our HoneyNet in February 2009 we have directly observe that some malware’s where located on Webs.com how participate actively to a bonnet construction and propagation.

Webs.com server, how is hosting the malware’s, has the IP 216.52.115.50. Since February 2009 to end August 2010, Webs.com botnet is composed of few different malware hoisters, has generate 2 978 events and 70 attackers have call the botnet files located on the hoster servers.

US, Germany and Colombia are the countries how are the most participating to the botnet activity in term of events. US and China are the countries how are hosting part of the botnet since more than 100 days.

August 2010 was the more active month in term of events, March 2010 the month with the most distinct attackers. February and April 2010 the months with the most detected hosters.

Since Jun 2010 we can see that the activity of the botnet is increasing drastically.

Interesting point the Webs.com, FileAve.com, the Kortech.cn and the Interfree.it botnets are linked together between some few hosters. Just check the available Afterglow visualization of the interaction between the botnets.

I have generate some stats and graphs, with all the associated raw datas, how are available here.

e107 RCE EDB-ID 12715 under monitoring

23/08/2010Security visualization, VariousBotnet, e107wow

Previously I wrote a blog post about the ByroeNet/Casper-Like bot scanners, and relate that the most important evolution of these scanners where the integration of e107 RCE (EDB-ID : 12715) and LFI vulnerabilities exploitations. I created a rule to monitor precisely the activity of theses e107 dedicated exploitations.

Here under you can find real time graphs for the e107 RCE vulnerability.

Montly TOP 10 Source IPs for rule 1010043

MaMa / Casper / plaNETWORK / sun4u Bot Search scanners under monitoring

05/08/2010Security visualization, VariousBotnetwow

Previously I wrote a blog post about the ByroeNet/Casper-Like bot scanners, and adapted some ET rules in order to detect these bots activities.

The 1010041 rule focus on all “MaMa” scanners (MaMa CaSpEr, MaMa CyBer, MaMa ebes, etc.), the 1010040 rule focus on all “Bot Search” scanners (b3b4s, Casper, dex, Jcomers, kmccrew, plaNETWORK, sasqia, sledink, etc.) and the ET 2011244 rule focus on all “sun4u” scanners (Mozilla/4.76 [ru] (X11; U; SunOS 5.7 sun4u), etc.).

Until first August the rules where under testing, so the previous values are incorrect.

Here under you can find real time graphs for the 3 different rules.