[Snort-sigs] Sobig.E variant

Joe Stewart jstewart at ...5...
Thu Jun 26 13:47:01 EDT 2003

On Thursday 26 June 2003 02:43 pm, Esler, Joel Contractor wrote:
> I would agree with you, however, when looking for ALL these things in
> conjunction, it would help, now, I do agree that someone who has a better
> packet capture of the virus could help me with the depth and stuff,
> however, this works.  And the only false positive that it detected, was
> your email.

If you want to reliably catch sobig.e, try the PE header+timestamp
(12 bytes near the start of the file starting with "PE"). 

The signature below will only trigger on binaries compiled at the same 
precise second in time, which was Tue Jun 24 14:38:09 2003. Just to 
raise the bar a little higher for false positives, I included the .aspack
label from the section name. Now it will only trigger on binaries compiled 
at exactly that time, and packed with aspack. These strings all occur 
within the first 470 bytes of the file, so it should trigger on the first 
packet of a transfer.

alert tcp any any -> any any (msg:"W32.Sobig.E Possible worm";
content:"|50 45 00 00 4C 01 04 00 91 9A F8 3E|"; content:".aspack"; rev:1;)

Note that PE+timestamp is not reliable on every windows binary, since
compilers are not required to set that field, and some use that field to
store other non-timestamp data.

And of course, this will only catch non-encoded network transfers, such
as when it spreads via netbios. It will obviously not trigger on the mime-
encoded emails which are the main avenue of propagation.


Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation

More information about the Snort-sigs mailing list