any details/sigs for "Magic Lantern"?

["Travis Farmer" <travis57 () megalink net>]

I may just be paranoid, but has anybody found communication to/from magic
lantern, at least enough to build a signature on?

The most I got was that it connects to FedWU.windowsupdate.com, and a ip
lookup brings up 207.46.131.197.

Assuming all magic lantern data is transferred to and from that address, how
would I go about constructing a rule to detect it?
 I have entered the following rules into my virus.rules file, mainly for
research to see if anything is transferred.

alert tcp any any -> 207.46.131.197 any (msg:"Virus - Magic Lantern";
sid:1000001;  classtype:misc-activity;)
alert tcp 207.46.131.197 any -> any any (msg:"Virus - Magic Lantern";
sid:1000002;  classtype:misc-activity;)

There is no content as I wanted to catch all data to this fedwu server.
Unfortunately, even when I deliberately point a browser to that address
(netscape, so no embedded activeX components can install anything), no alert
is generated. Is the content field required, and if so, would a value of ""
work?

The fact that there is a fedwu server suggests that magic lantern is real. I
just would like to catch it so I can make an attempt to block it.

Thanks in advance.

~Travis



-------------------------------------------------------
This SF.net email is sponsored by:Crypto Challenge is now open! 
Get cracking and register here for some mind boggling fun and 
the chance of winning an Apple iPod:
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0031en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users