[Snort-sigs] New Signature
michael_anuzis at ...12...
Fri Jan 25 14:03:02 EST 2002
I've created a new snort signature & included the summary for it. I'm not
sure how to go about assigning the Sid or the urgency notification. I looked
at the other two SubSeven signatures for a place to start, & noticed they
were classified as priority: 3, Misc-Activity. I don't know if I would lable
a computer infected with SubSeven such a low priority, because if a system
is truely infected with it & an attacker is then notified of it properly &
able to access it the computer is completely compromised & able to be used
for launching all sorts of other attacks.
Much thanks for David Wilburn for helping me in refining the rule itself to
make it as accurate and efficient as possible. I hope this rule helps.
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR SubSeven 2.2
SIN Beacon"; dsize: 14; content: "|6d6e d9d1 adb9 cd66 a295|"; offset: 4;
Not Assigned yet
A SubSeven server has been installed on your network and is trying to notify
the attacker of the IP address & port it is running on via SubSeven's
proprietary "SIN" notification beacon.
If there is no firewall in place preventing the attacker from accessing the
infected system after being notified of its location, then the attacker has
complete control over all digital aspects of the computer.
SubSeven is a client/server backdoor. The server can be embedded in other
executables to make it less suspicious to a victim using it, or it may be
installed manually by an attacker with physical access to the victim
machine. After the server has been installed successfully, an attacker may
remotely access it with the SubSeven client and perform a list of actions
too long to list in this summary. The attacker will be able to do everything
from file manipulation, registry editing, and port forwarding, to opening
and closing the CD drive.
The server may be installed manually by anyone with physical access to the
computer. Most often the server will be hidden inside another more
trustworthy executable and sent through e-mail to trick users into
installing it unknowingly.
Ease of Attack:
Simply installing the server & plugging the server's IP address/port number
into the client.
The source IP address of this alert will be the infected (Windows) system.
Physically locate the system and remove the server accordingly. The
destination IP address is most likely the address of the attacker, although
tt is possible the hacker has a 3rd party computer set up to listen for
these SIN beacons. Check the victim computer for anything unusual. If
anything has been maliciously damaged investigative measures should be
Michael Anuzis e-mail: michael at ...321...
Removal of the server: http://vil.mcafee.com/dispVirus.asp?virus_k=10566&
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
More information about the Snort-sigs