Sonicwall Signatures


  All Categories

Category: BACKDOOR

Backdoor Category Description

This SonicWALL IPS signature category consists of a group of signatures that can detect and prevent traffic related to backdoor Trojans and worms on a network. Many Trojans and worms, once they compromise a system, can open a backdoor to a computer by forcing it to listen on a particular port for commands that the attacker can send remotely. Attackers can use backdoors to take control of a computer, doing everything from causing the computer download and execute additional malware, relay spam, or open and close its CD-ROM drive repeatedly. A backdoor connection on a network is extremely damaging and can slow down network traffic, result in the compromise of important data, and make computers unusable. A backdoor connection is always a serious threat and should be investigated immediately

Signatures in this category detect traffic once a Trojan or worm has been installed on a compromised network computer, often called a bot or zombie. Detected traffic includes both inbound commands and outbound responses to and from infected computers, as well as communication across infected computers that may indicate that one infected machine is attempting to transmit its infection to other computers on the network. While these signatures can block such traffic and make a bot on a network largely useless for attackers, administrators should follow up by checking the computers involved for infection. Often the traffic detected will come from a rootkit which can run in kernel-mode and hide its presence from all but the best antivirus scanners. Although false positives may be possible, administrators should perform thorough checks on computers involved with backdoor traffic and consider reformatting them.

SonicWALL backdoor signatures are categorized from medium to high priority and should be kept enabled for prevention. Because this particular set of signatures is largely retroactive, administrators should use these in conjunction with SonicWALL Gateway AntiVirus signatures as well as other SonicWALL IPS signatures to close vulnerabilities that can allow Trojans and worms on to the network in the first place. Using all parts of a unified threat detection system can provide administrators with the appropriate tools to prevent, contain, and respond to serious attacks.

  SessionManager Cookie Header IOC
  Zeus C&C IOC 2
  Zeus C&C IOC 1
  C99 Web Shell Remote Login 1
  C99 Web Shell Remote Login 2
  R57 Web Shell Remote Login
  B374k Web Shell Remote Login
  Windows x86 Download Execute Shellcode IOC (TCP)
  Pandemiya.A C&C IOC 1
  Advanced Persistent Threat C&C IOC 16
  Advanced Persistent Threat C&C IOC 17
  Advanced Persistent Threat C&C IOC 22
  Advanced Persistent Threat C&C IOC 23
  Advanced Persistent Threat C&C IOC 25
  Nimda IOC
  Sasser IOC
  CodeRed v2 IOC
  Kryptik.LOG IOC
  Conficker IOC 1
  Conficker IOC 2
  Zeus IOC
  Gozi IOC 1
  Gozi IOC 2
  Gozi IOC 3
  Rovnix IOC
  Redleaves IOC 1
  Redleaves IOC 2
  Volgmer IOC
  APT Hidden Cobra C&C IOC
  Compromised Host Backdoor Traffic 7
  Cridex C&C IOC 2
  Quevar C&C IOC 1
  x86 Decoder Shellcode IOC (UDP) 1
  x86 Decoder Shellcode IOC (UDP) 2
  Windows x86 Bind Shell Shellcode IOC (TCP)
  HP Operations Manager Server Backdoor Account Login
  IBM Cognos Server Backdoor Account Login 1
  Cisco IOS XE Backdoor Access 2
  Cisco IOS XE Backdoor Access 3
  IBM Rational QM/TLM Backdoor Account Login
  HP SiteScope Administration Interface Backdoor Account Login
  Advanced Persistent Threat C&C IOC 30
  IBM Cognos Server Backdoor Account Login 2
  Tatanga Banking Trojan IOC
  v0pCr3w Remote Command Execution
  Ra1NX Remote Command Execution
  Cutwail IOC 1
  Traffic Distribution System (TDS) IOC 1
  Traffic Distribution System (TDS) IOC 2
  Traffic Distribution System (TDS) IOC 3
  WSO Web Shell Remote Login
  FireEye BEACON CSBundle USAToday Server IOC
  FireEye RUBEUS Process IOC
  FireEye GORAT Build ID IOC
  FireEye BEACON CSBundle Original Stager IOC
  SolarWinds Supply Chain Malware IOC 1
  SolarWinds Supply Chain Malware IOC 2
  SolarWinds Supply Chain Malware IOC 3
  SolarWinds Supply Chain Malware IOC 4
  SolarWinds Supply Chain Malware IOC 5
  SolarWinds Supply Chain Malware IOC 6
  SolarWinds Supply Chain Malware IOC 7
  SolarWinds Supply Chain Malware IOC 8
  SolarWinds Supply Chain Malware IOC 9
  SolarWinds Supply Chain Malware IOC 10
  SolarWinds Supply Chain Malware IOC 11
  SolarWinds Supply Chain Malware IOC 12
  SolarWinds Supply Chain Malware IOC 13
  SolarWinds Supply Chain Malware IOC 14
  SolarWinds Supply Chain Malware IOC 15
  SolarWinds Supply Chain Malware IOC 16
  SolarWinds Supply Chain Malware IOC 17
  SolarWinds Supply Chain Malware IOC 18
  SolarWinds Supply Chain Malware IOC 19
  SolarWinds Supply Chain Malware IOC 20
  Mitel MiVoice Connect RCE IOC 1
  Mitel MiVoice Connect RCE IOC 2
  3CXDesktopApp DLL Sideloading IOC
  NetScaler ADC/Gateway Backdoor Access
  MinIO Backdoor Access
  IRC Backdoor IOC
  UnrealIRCd Backdoor IOC
  FinFisher IOC (Client)
  FinFisher IOC (Server)
  Compromised Host Backdoor Traffic 1
  Q Backdoor IOC (ICMP)
  Back Orifice Remote Login 1
  FireEye RUBEUS nonce 2 IOC TCP
  FireEye RUBEUS nonce 2 IOC UDP
  zerodium Backdoor IOC
  ProFTPD Server Backdoor Account Login
  Compromised Host Backdoor Traffic 4
  Apache Axis2 Backdoor Account Login 1
  HP OpenView Performance Insight Server Backdoor Account Login
  Night Dragon C&C IOC
  Apache Axis2 Backdoor Account Login 1 -c2
  vsftpd Backdoor Account Login
  Ramnit C&C IOC
  Back Orifice Remote Login 3
  MyBB Backdoor IOC
  ZeroAccess IOC
  ngrBot IOC
  Horde Groupware Backdoor IOC
  Weevely Backdoor IOC 1
  Weevely Backdoor IOC 2
  Weevely Backdoor IOC 3
  Weevely Backdoor IOC 4
  Weevely Backdoor IOC 5
  Cutwail IOC 2
  Cisco IOS XE Backdoor Access
  Ivanti Connect Secure Backdoor LIGHTWIRE Webshell Activity
  Ivanti Connect Secure Backdoor CHAINLINE Webshell Activity
  Ivanti Connect Secure Backdoor FRAMESTING Webshell Activity
  Ivanti Connect Secure Backdoor WIREFIRE Webshell Command Activity
  Ivanti Connect Secure Backdoor LIGHTWIRE File Upload Activity
  Alvgus Trojan IOC
  Back Orifice Remote Login 2
  Compromised Host Backdoor Traffic 5
  Compromised Host Backdoor Traffic 6
  Compromised Host Backdoor Traffic 2
  Hupigon Trojan IOC
  IRCBot Trojan IOC
  Downloader Trojan IOC
  Downloader Win32 Tibs Trojan IOC
  Compromised Host Backdoor Traffic 3
  Medbod Trojan IOC
  Arsinfoder Trojan IOC
  Gh0st Trojan IOC
  Cutwail Trojan IOC
  Bugat Trojan IOC 2

Relevant Information