TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
327
Intentionz Administrator (C.I.A.). Backdoor Cruel Intentionz Administrator (C.I.A) 1.1 is a family of backdoor
programs that affects Microsoft Windows family of Operating System generated by the C.I.A. development kit. The
backdoor toolkit is written for Visual Basic and can be compiled as a PE/COFF executable file. The backdoor could
also be packed using the UPX tool. These backdoors use a client-server relationship, where the server component is
installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port,
typically TCP port 5888 to allow the client system to connect. Subsequent sessions are allocated new port numbers, and
incremented by 1000, for example, 6888 incremented to 7888, and so on. Once installed on a system, the backdoor
permits the remote attacker to take complete control of a victim host. Administrators are advised to monitor traffic on
ports 5888, 6888, 7888 for external users.
Signature ID: 3231
Backdoor CIA 1.22b
Threat Level: Critical
Signature Description: Backdoor Cruel Intentionz Administrator (C.I.A) 1.22b is a backdoor program that affects
Microsoft Windows Operating System. The backdoor uses a client/server relationship, where the server component is
installed in the victim's system and the remote attacker has control of the client. The server attempts to open a port,
typically TCP port 5222 to allow the client system to connect. Subsequent sessions are allocated new port numbers, and
incremented by 1000, for example, 6222 incremented to 7222 and so on. Once installed on a system, the backdoor
permits the remote attacker to take complete control of a victim host. Administrators are advised to close ports 5222,
6222, 7222 for external users. This rule will drop the session when the packet have pattern 'CIA v1.22b'.
Signature ID: 3232
Backdoor Cyn 2.1
Threat Level: Critical
Signature Description: Backdoor Cyn 2.1 is a backdoor program that affects Microsoft Windows Operating System.
The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the
remote attacker has control of the client. The server attempts to open a port, typically TCP port 15432 to allow the
client system to connect. Once installed on a system, the backdoor permits the remote attacker to take complete control
of a victim host. Administrators are advised to close the port 15432 for external users.
Signature ID: 3233
Backdoor Doly 1.6
Threat Level: Critical
Signature Description: Backdoor Doly 1.6 is a backdoor program that affects Microsoft Windows Operating System.
The backdoor uses a client/server relationship, where the server component is installed in the victim's system and the
remote attacker has control of the client. The server attempts to open a port, typically TCP port 1016 to allow the client
system to connect. Once installed on a system, the backdoor permits the remote attacker to take complete control of a
victim host, log keystrokes, capture an image, and shut down or restart computer. Administrators are advised to close
the port 1016 for external users.
Signature ID: 3234
Backdoor Forced Entry 1.1
Threat Level: Critical
Signature Description: Backdoor Forced Entry 1.1 is a backdoor program that affects Microsoft Windows Operating
System. The backdoor uses a client/server relationship, where the server component is installed in the victim's system
and the remote attacker has control of the client. The server attempts to open a port, typically TCP port 9999 to allow
the client system to connect. Once installed on a system, permits unauthorized users to remotely perform a variety of
operations, such as changing the registry, executing commands, starting services, listing files, and uploading or
downloading files. Administrators are advised to close the port 9999 for external users.