[Snort-sigs] NB! New Klez rules, old ones raise false positives

Christian Nesmark cnesmark at ...618...
Thu Jun 6 13:06:02 EDT 2002


I am currently working on a set of rules for Klez recognition for my final 
dissertation, and came across this from Chad Kreimendahl, claiming a hit 
rate of 100%.

tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"VIRUS Klez Incoming;
flow:to_server,established; dsize:>120; content:"MIME";
content:"VGhpcyBwcm9"; classtype:misc-activity;)

Well, I reckon the hit rate for this rule would exceed 100% (i.e. false 
positives), as I've investigated about 20 MIME-encoded Klez binaries and 
found that the string "VGhpcyBwcm9" has nothing to do specifically with the 
Klez worm, but is a part of the standard header for ALL (at least, all I've 
investigated) Win32 executables. By just attaching "telnet.exe" to an 
e-mail I triggered the rule.

I found that byte 82 (remove base64 headers) differs from executable to 
executable, and after the 174th byte, things really start to differ from 
file to file. But all Klez files are the same in this section, so I chose a 
string of 20 bytes from this part: "s1z4E7Nc+BOzJ+Qfs1j4". Also, the 
keyword "MIME" should be included, but using only all uppercase would 
exclude accidently manually sent infected files having a "Mime" 
(mixed-case) header instead. Therefore a "nocase" statement to cover the 
"Mime" check, but a binary string check to match the case-sensitive 20-byte 
string.

Also, the following rule will monitor traffic to the SMTP server, but 
ignores mail downloaded from other mail servers. Therefore a modification 
of the rule, making three altogether:

alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"VIRUS Klez arrived to SMTP"; 
flags:A+; dsize:>500; content:"MIME"; nocase; content:"|73 31 7A 34 45 37 
4E 63 2B 42 4F 7A 4A 2B 51 66 73 31 6A 34|"; classtype:misc-activity; 
reference:url,www.norman.no/virus_info/w32_klez_g_mm.shtml;)

alert tcp $EXTERNAL_NET 110 -> $HOME_NET any (msg:"VIRUS Klez in POP MIME 
attachment"; flags:A+; dsize:>500; content:"|73 31 7A 34 45 37 4E 63 2B 42 
4F 7A 4A 2B 51 66 73 31 6A 34|"; classtype:misc-activity; 
reference:url,www.norman.no/virus_info/w32_klez_g_mm.shtml;)

alert tcp $EXTERNAL_NET 143 -> $HOME_NET any (msg:"VIRUS Klez in IMAP MIME 
attachment"; flags:A+; dsize:>500; content:"|73 31 7A 34 45 37 4E 63 2B 42 
4F 7A 4A 2B 51 66 73 31 6A 34|"; classtype:misc-activity; 
reference:url,www.norman.no/virus_info/w32_klez_g_mm.shtml;)

The two latter rules have had their "MIME" string check removed, as I 
discovered that the two keywords most probably were not arriving in the 
same TCP packet, as many extra headers are added by different servers. 
Also, sorry for using flags instead of flow option, but I'm not totally 
into that yet.

I hope these rules will provide a better detection of Klez - please let me 
know if they prove helpful! My own testing have been successful so far, but 
more feedback is needed to develop them further.

Best regards,
Christian Nesmark





More information about the Snort-sigs mailing list