[Snort-sigs] Proposed sig to spot internal Klez infections
Kenneth G. Arnold
bkarnold at ...1280...
Thu Apr 3 13:09:40 EST 2003
I would like to propose the following signature to detect infections of
Windows machines within your own network by the Klez virus. Our experience
has been that every time we see an internal machine trying to send email to
a mail server at 188.8.131.52, it has been infected by the Klez virus. Once
the machine is cleaned, the attempts to send email to this address stop. I
have no packet capture to support this because we don't actually let the
connection take place. Our border router stops it and logs it. Feel free
to change the sid or the message.
alert tcp $HOME_NET any -> 184.108.40.206/32 25 (msg:"Klez infection likely";
classtype:misc-activity; sid:1000007; rev:1;)
ARIN shows that 220.127.116.11 is registered to:
OrgName: Royal Signals and Radar Establishment Org
Address: St. Andrews Road Great Malvern
Address: Worchestire, WR14 3PS
and there doesn't appear to even be a mail server there.
Brother Kenneth Arnold
Information Technology Services
Christian Brothers University
More information about the Snort-sigs