Snort mailing list archives
Re: Deloder worm
From: Bill McCarty <bmccarty () apu edu>
Date: Wed, 12 Mar 2003 21:14:14 -0800
--On Wednesday, March 12, 2003 1:04 AM -0500 Kevin Pietersma <kev () attcanada net> wrote:
Found one through Symantec Security Response site http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.delod er.html alert tcp any any -> any any (msg:"W32.HLLW.Deloder infection"; content: "|59 49 39 E0 C3 1D D3 4D D8 F2 61 73 73 6B 47 69 DA B5 BC 05 3A F0 E4 C7 98 76 CB B4 37 A4 39 4A|";)
Here's another: alert tcp $EXTERNAL_NET any <> $HOME_NET 445 (msg:"SMB Negotiate Protocol Process ID 65279"; content:"|00 00 00 85 ff 53 4d 42 72 00 00 00 00 18 53 c8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff fe|"; offset:0; depth:0;) This rule operates by recognizing: * the NetBIOS session message length: 00 00 00 85 * the CIFS header: ff 53 4d 42 * the SMB command (Negotiate Protocol): 72 * the status flag: 00 00 00 00 * the SMB flags: 18 53 c8 * the SMB reserved value: 00 00 00 00 00 00 00 00 00 00 00 00 * the SMB tree ID: 00 00 * the SMB Process ID: ff fe Based on datagrams I've seen, the worm always uses an SMB Process ID value of 0xfffe. Occasional false positives are possible when the SMB Process ID takes on the value 0xfffe by chance. However, it's likely that the values of the other fields would prevent a complete match; therefore, no false alert seems likely. Improvements or counterexamples would be most welcome! Cheers, --------------------------------------------------- Bill McCarty ------------------------------------------------------- This SF.net email is sponsored by:Crypto Challenge is now open! Get cracking and register here for some mind boggling fun and the chance of winning an Apple iPod: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Deloder worm spyguy (Mar 10)
- Ignoring SNMP from specific addresses? Matt Richard (Mar 10)
- Re: Ignoring SNMP from specific addresses? Erek Adams (Mar 10)
- Re: Ignoring SNMP from specific addresses? Matt Richard (Mar 10)
- Re: Ignoring SNMP from specific addresses? Erek Adams (Mar 10)
- Re: Deloder worm Kevin Pietersma (Mar 11)
- Re: Deloder worm Bill McCarty (Mar 12)
- Ignoring SNMP from specific addresses? Matt Richard (Mar 10)