[Snort-sigs] Signatures attached

Tobias Haecker (T.O.) tobias.haecker at ...276...
Mon Jan 21 08:48:04 EST 2002


-- 
--------------------------------------------------------------------
Tobias Häcker                                     Dipl.-Inform. med. 
Thinking Objects Software GmbH                 tobias.haecker at ...276...
Lilienthalstraße 2                          phone: +49.711.88770.400
70825 Stuttgart-Korntal                       fax: +49.711.88770.449
--------------------------------------------------------------------
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  

--
Sid:
795

--
Summary:
Using two or more windows file extensions, mail users have
difficulties to determine the type of attachments an probably
execute a file or script while thinking it is a harmless ascii text.

--
Impact:
Mail worms may spread rapidly because users execute them.

--
Detailed Information:
Windows systems are often configured not to display file extensions.
By adding a second extension, users get confused and think that an
executable is a text - e.g. loveletter.txt.vbs gets displayed as
loveletter.txt but is a visual basic script and not a plain text.

--
Attack Scenarios:
Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method.

--
Ease of Attack:
Very easy. One needs to attach a file and hope that it gets executed.

--
False Positives:
Could be an error on sender's side.

--
False Negatives:
-

--
Corrective Action:
Use antivirus software. Configure mail clients securely, especially when
using windows desktops. Educate your mail users. Deny all attachments at
the gateway if you can.

--
Contributors:
tobias.haecker at ...276...

--
Additional References:
See websites of antivirus companies.
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  

--
Sid:
796

--
Summary:
Using two or more windows file extensions, mail users have
difficulties to determine the type of attachments an probably
execute a file or script while thinking it is a harmless Excel
spreadsheet.

--
Impact:
Mail worms may spread rapidly because users execute them.

--
Detailed Information:
Windows systems are often configured not to display file extensions.
By adding a second extension, users get confused and think that an
executable is an EXCEL spreadsheet - e.g. businnesplan.xls.vbs gets displayed as
businessplan.xls but is a visual basic script and not an EXCEL spreadsheet.

--
Attack Scenarios:
Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. Warning:
An EXCEL spreadsheet is in now way more secure than a visual basic script.
Wrongly configured antivirus software my ignore this files and
let a macro virus pass.

--
Ease of Attack:
Very easy. One needs to attach a file and hope that it gets executed.

--
False Positives:
Could be an error on sender's side.

--
False Negatives:
-

--
Corrective Action:
Use antivirus software. Configure mail clients securely, especially when
using windows desktops. Educate your mail users. Deny all attachments at
the gateway if you can.

--
Contributors:
tobias.haecker at ...276...

--
Additional References:
See websites of antivirus companies.
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  

--
Sid:
797

--
Summary:
Using two or more windows file extensions, mail users have
difficulties to determine the type of attachments an probably
execute a file or script while thinking it is a harmless picture.

--
Impact:
Mail worms may spread rapidly because users execute them.

--
Detailed Information:
Windows systems are often configured not to display file extensions.
By adding a second extension, users get confused and think that an
executable is a picture - e.g. niceboy.jpg.vbs gets displayed as
nicegboy.jpg but is a visual basic script and not a picture.

--
Attack Scenarios:
Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method.

--
Ease of Attack:
Very easy. One needs to attach a file and hope that it gets executed.

--
False Positives:
Could be an error on sender's side.

--
False Negatives:
-

--
Corrective Action:
Use antivirus software. Configure mail clients securely, especially when
using windows desktops. Educate your mail users. Deny all attachments at
the gateway if you can.

--
Contributors:
tobias.haecker at ...276...

--
Additional References:
See websites of antivirus companies.
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  

--
Sid:
798

--
Summary:
Using two or more windows file extensions, mail users have
difficulties to determine the type of attachments an probably
execute a file or script while thinking it is a harmless picture.

--
Impact:
Mail worms may spread rapidly because users execute them.

--
Detailed Information:
Windows systems are often configured not to display file extensions.
By adding a second extension, users get confused and think that an
executable is a picture - e.g. nicegirl.gif.vbs gets displayed as
nicegirl.gif but is a visual basic script and not a picture.

--
Attack Scenarios:
Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method.

--
Ease of Attack:
Very easy. One needs to attach a file and hope that it gets executed.

--
False Positives:
Could be an error on sender's side.

--
False Negatives:
-

--
Corrective Action:
Use antivirus software. Configure mail clients securely, especially when
using windows desktops. Educate your mail users. Deny all attachments at
the gateway if you can.

--
Contributors:
tobias.haecker at ...276...

--
Additional References:
See websites of antivirus companies.
-------------- next part --------------
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule:  

--
Sid:
801

--
Summary:
Using two or more windows file extensions, mail users have
difficulties to determine the type of attachments an probably
execute a file or script while thinking it is a harmless WORD document.

--
Impact:
Mail worms may spread rapidly because users execute them.

--
Detailed Information:
Windows systems are often configured not to display file extensions.
By adding a second extension, users get confused and think that an
executable is a WORD document - e.g. resume.doc.vbs gets displayed as
resume.doc but is a visual basic script and not a WORD document.

--
Attack Scenarios:
Famous worms (ILOVEYOU, KOURNIKOVA) are based on this method. Warning:
A WORD document is in now way more secure than a visual basic script.
Wrongly configured antivirus software my ignore this files and
let a macro virus pass.

--
Ease of Attack:
Very easy. One needs to attach a file and hope that it gets executed.

--
False Positives:
Could be an error on sender's side.

--
False Negatives:
-

--
Corrective Action:
Use antivirus software. Configure mail clients securely, especially when
using windows desktops. Educate your mail users. Deny all attachments at
the gateway if you can.

--
Contributors:
tobias.haecker at ...276...

--
Additional References:
See websites of antivirus companies.


More information about the Snort-sigs mailing list