1# BOTNET-CLUSTER-PATTERNS.RC 2# 3# Current patterns. 4# 5# Updated and verified 7/12/2011 6# 7 8# Abused Botnet Spam Source IPs 9# 10# 9/09/2010: 11# Hotmail is currently the source of an abnormal amount of *messy* botnet spam. 12# 13:0 14* -1^0 15* H ?? 2^0 (^|[^0-9a-z])(64\.4\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|\ 16 65\.5[2-5]\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?)([^0-9a-z]|$) 17{ 18 SBLOG="C3T-${TESTNAME}/Botnet Stigmata (Header Contains Commonly Abused IP)" 19 INCLUDERC=${SBDIR}/functions/loglevel.rc 20 21 :0 22 * $ ${LOCALSCORE}^0 23 * 2^0 24 { LOCALSCORE=$= } 25} 26 27# Victim Address forged in From Header 28# 29# 9/13/2010: 30# One botnet Pharma spammer in particular does this constantly. 31# 32:0 33* ? ${TEST} -f ${MYEMAIL} 34{ 35 :0 36 * ! FROMEMAIL ?? ^noemail@example.com$ 37 * ? ${GREP} -i -x "${FROMEMAIL}" ${MYEMAIL} 38 { 39 SBLOG="C3T-${TESTNAME}/Botnet Stigmata (From Spam Victim Address)" 40 INCLUDERC=${SBDIR}/functions/loglevel.rc 41 42 :0 43 * $ ${LOCALSCORE}^0 44 * 2^0 45 { LOCALSCORE=$= } 46 } 47} 48 49# Very short email with URI containing domain in abused TLD 50# 51# 9/13/2010: 52# Lots of very short botnet spam emails with botnet-abused TLDs in them. 53# 54:0 55* ! B ?? ^.*$.*$.*$.*$.*$.*$ 56* ! B ?? (^|[^0-9a-z])https?://([0-9a-z][-_0-9a-z]*(�|\.|[=%]2E))+(cx|in|info|ru)(.*$)*.*\ 57 https?://([0-9a-z][-_0-9a-z]*(�|\.|[=%]2E))+[a-z][a-z][a-z]?[a-z]?[a-z]?[a-z]?([^0-9a-z]|$) 58* B ?? (^|[^0-9a-z])https?://([0-9a-z][-_0-9a-z]*(�|\.|[=%]2E))+(cx|in|info|ru)([^0-9a-z]|$) 59{ 60 SBLOG="C3T-${TESTNAME}/Botnet Stigmata (Short email, URI domain in Abused TLD)" 61 INCLUDERC=${SBDIR}/functions/loglevel.rc 62 63 :0 64 * $ ${LOCALSCORE}^0 65 * 2^0 66 { LOCALSCORE=$= } 67} 68 69