[Snort-sigs] New Signature

Michael Anuzis michael_anuzis at ...12...
Fri Jan 25 14:03:02 EST 2002

I've created a new snort signature & included the summary for it. I'm not 
sure how to go about assigning the Sid or the urgency notification. I looked 
at the other two SubSeven signatures for a place to start, & noticed they 
were classified as priority: 3, Misc-Activity. I don't know if I would lable 
a computer infected with SubSeven such a low priority, because if a system 
is truely infected with it & an attacker is then notified of it properly & 
able to access it the computer is completely compromised & able to be used 
for launching all sorts of other attacks.

Much thanks for David Wilburn for helping me in refining the rule itself to 
make it as accurate and efficient as possible. I hope this rule helps.

alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR SubSeven 2.2 
SIN Beacon"; dsize: 14; content: "|6d6e d9d1 adb9 cd66 a295|"; offset: 4; 
depth: 10;)

Not Assigned yet

A SubSeven server has been installed on your network and is trying to notify 
the attacker of the IP address & port it is running on via SubSeven's 
proprietary "SIN" notification beacon.

If there is no firewall in place preventing the attacker from accessing the 
infected system after being notified of its location, then the attacker has 
complete control over all digital aspects of the computer.

Detailed Information:
SubSeven is a client/server backdoor. The server can be embedded in other 
executables to make it less suspicious to a victim using it, or it may be 
installed manually by an attacker with physical access to the victim 
machine. After the server has been installed successfully, an attacker may 
remotely access it with the SubSeven client and perform a list of actions 
too long to list in this summary. The attacker will be able to do everything 
from file manipulation, registry editing, and port forwarding, to opening 
and closing the CD drive.

Attack Scenarios:
The server may be installed manually by anyone with physical access to the 
computer. Most often the server will be hidden inside another more 
trustworthy executable and sent through e-mail to trick users into 
installing it unknowingly.

Ease of Attack:
Simply installing the server & plugging the server's IP address/port number 
into the client.

False Positives:

False Negatives:

Corrective Action:
The source IP address of this alert will be the infected (Windows) system. 
Physically locate the system and remove the server accordingly. The 
destination IP address is most likely the address of the attacker, although 
tt is possible the hacker has a 3rd party computer set up to listen for 
these SIN beacons. Check the victim computer for anything unusual. If 
anything has been maliciously damaged investigative measures should be 

Michael Anuzis  e-mail: michael at ...321...

Additional References:
Removal of the server: http://vil.mcafee.com/dispVirus.asp?virus_k=10566&

Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

More information about the Snort-sigs mailing list