RES: [Snort-sigs] W32.Bugbear.B at ...110... Signature

Shane Williams shanew at ...94...
Sun Jun 8 17:12:07 EDT 2003


On Sat, 7 Jun 2003, daniel.clemens wrote:

> This was on the symantec website around 11am..
> 
> alert tcp any any -> any 25 \
> (msg:"BugBear B SMTP Worm Propagation"; \
> content:"CwEGAAAgAQAAEAAAAOAGACABCAAA8AYAABAIAAAAQAAAEAAAAAIAAAQAAAAA";classtype:misc-attack;)

I tested this signature and came up with 15 hits in a given period.
Running McAfee viruscan against those emails resulted in one false
positive and two emails that showed up only as Generic Mime Exploit
viruses.  Of course, it could be that McAfee's defs are off.  In
either case, here's a content string that matched only the 12 emails
specifically identified by McAfee as Bugbear.b:

"ZWdDbG9zZUtleQAAAFdOZXRPcGVuRW51bUEAAABwdXRjAABTZXRUaW1lcgAAAAAIAAwAAAAiMQAA"


In addition, I spent some time today looking at the recent Sobig.c
variation.  Here's a rule based on that research.  Double-checking
with McAfee shows no false negatives or positives, but I don't have a
huge sample size to test (only about 100 emails).  Here's the rule:

alert tcp any any -> any 25 (msg:"Possible Sobig.c virus in SMTP"; content:"ZTPbE3sPAjQLDBypalkKEQBQRcM/yL8BAwBEk9c+4AAPAQsBBoYS9TCqmqjJHdzsFHVgCgsDXbLB"; sid:9000019; classtype:misc-activity; rev:1;)

As always, please let me know of any false positives or negatives.

-- 
Public key #7BBC68D9 at            |                 Shane Williams
http://pgp.mit.edu/                |      System Admin - UT iSchool
=----------------------------------+-------------------------------
All syllogisms contain three lines |              shanew at ...94...
Therefore this is not a syllogism  | www.ischool.utexas.edu/~shanew





More information about the Snort-sigs mailing list