[Snort-sigs] New Signature

Michael Anuzis michael_anuzis at ...12...
Sat Jan 26 15:59:02 EST 2002


I apologize for wasting everyone's time & e-mail space. This rule isn't 
completed yet. It only catches what it's supposed to catch when the attacker 
has it reply reporting a certain IP/port.

The part of the datagram that does stay the same are these 6 bytes but for 
some reason (perhaps some syntax error) this rule won't catch the packet 
either:
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "SubSeven 2.2 SIN 
Beacon"; dsize: 14; content: "|8177 9e9c 696e|"; depth: 6;)

The 6 bytes mentioned above are the first in the datagram so I mentioned no 
offset, but for some reason it still won't catch. If any of the core 
developers knows what may be wrong feel free to fix it, otherwise I guess we 
can drop it here.

Again sorry to bother everyone,
Michael Anuzis


>From: "Michael Anuzis" <michael_anuzis at ...12...>
>To: snort-sigs at lists.sourceforge.net
>Subject: [Snort-sigs] New Signature
>Date: Fri, 25 Jan 2002 17:02:19 -0500
>
>I've created a new snort signature & included the summary for it. I'm not
>sure how to go about assigning the Sid or the urgency notification. I 
>looked
>at the other two SubSeven signatures for a place to start, & noticed they
>were classified as priority: 3, Misc-Activity. I don't know if I would 
>lable
>a computer infected with SubSeven such a low priority, because if a system
>is truely infected with it & an attacker is then notified of it properly &
>able to access it the computer is completely compromised & able to be used
>for launching all sorts of other attacks.
>
>Much thanks for David Wilburn for helping me in refining the rule itself to
>make it as accurate and efficient as possible. I hope this rule helps.
>
>
>Rule:
>alert udp $HOME_NET any -> $EXTERNAL_NET any (msg: "BACKDOOR SubSeven 2.2
>SIN Beacon"; dsize: 14; content: "|6d6e d9d1 adb9 cd66 a295|"; offset: 4;
>depth: 10;)
>
>--
>Sid:
>Not Assigned yet
>
>--
>Summary:
>A SubSeven server has been installed on your network and is trying to 
>notify
>the attacker of the IP address & port it is running on via SubSeven's
>proprietary "SIN" notification beacon.
>
>--
>Impact:
>If there is no firewall in place preventing the attacker from accessing the
>infected system after being notified of its location, then the attacker has
>complete control over all digital aspects of the computer.
>
>--
>Detailed Information:
>SubSeven is a client/server backdoor. The server can be embedded in other
>executables to make it less suspicious to a victim using it, or it may be
>installed manually by an attacker with physical access to the victim
>machine. After the server has been installed successfully, an attacker may
>remotely access it with the SubSeven client and perform a list of actions
>too long to list in this summary. The attacker will be able to do 
>everything
>from file manipulation, registry editing, and port forwarding, to opening
>and closing the CD drive.
>
>
>--
>Attack Scenarios:
>The server may be installed manually by anyone with physical access to the
>computer. Most often the server will be hidden inside another more
>trustworthy executable and sent through e-mail to trick users into
>installing it unknowingly.
>
>
>--
>Ease of Attack:
>Simply installing the server & plugging the server's IP address/port number
>into the client.
>
>--
>False Positives:
>
>--
>False Negatives:
>
>--
>Corrective Action:
>The source IP address of this alert will be the infected (Windows) system.
>Physically locate the system and remove the server accordingly. The
>destination IP address is most likely the address of the attacker, although
>tt is possible the hacker has a 3rd party computer set up to listen for
>these SIN beacons. Check the victim computer for anything unusual. If
>anything has been maliciously damaged investigative measures should be
>taken.
>
>--
>Contributors:
>Michael Anuzis  e-mail: michael at ...321...
>
>--
>Additional References:
>Removal of the server: http://vil.mcafee.com/dispVirus.asp?virus_k=10566&
>
>_________________________________________________________________
>Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
>
>
>_______________________________________________
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/snort-sigs


_________________________________________________________________
Chat with friends online, try MSN Messenger: http://messenger.msn.com





More information about the Snort-sigs mailing list