[Snort-sigs] Proposed sig to spot internal Klez infections

Kenneth G. Arnold bkarnold at ...1280...
Thu Apr 3 13:09:40 EST 2003


I would like to propose the following signature to detect infections of 
Windows machines within your own network by the Klez virus. Our experience 
has been that every time we see an internal machine trying to send email to 
a mail server at 25.0.0.0, it has been infected by the Klez virus.  Once 
the machine is cleaned, the attempts to send email to this address stop. I 
have no packet capture to support this because we don't actually let the 
connection take place.  Our border router stops it and logs it.  Feel free 
to change the sid or the message.

alert tcp $HOME_NET any -> 25.0.0.0/32 25 (msg:"Klez infection likely"; 
classtype:misc-activity; sid:1000007; rev:1;)

ARIN shows that 25.0.0.0 is registered to:
OrgName: Royal Signals and Radar Establishment Org
ID: RSRE
Address: St. Andrews Road Great Malvern
Address: Worchestire, WR14 3PS

and there doesn't appear to even be a mail server there.


Brother Kenneth Arnold
System Administrator
Information Technology Services
Christian Brothers University
(901) 321-4333





More information about the Snort-sigs mailing list