[Snort-sigs] Sobig.E variant

Wes Young wyoung at ...1639...
Fri Jun 27 07:01:39 EDT 2003

Has anyone seen a variant to this message format??? if it's pretty std (Your details) atleast i could make a temp rule to watch emails like that going out.

Wes Young

>>> Joe Stewart <jstewart at ...5...> 06/26 4:45 PM >>>
On Thursday 26 June 2003 02:43 pm, Esler, Joel Contractor wrote:
> I would agree with you, however, when looking for ALL these things in
> conjunction, it would help, now, I do agree that someone who has a better
> packet capture of the virus could help me with the depth and stuff,
> however, this works.  And the only false positive that it detected, was
> your email.

If you want to reliably catch sobig.e, try the PE header+timestamp
(12 bytes near the start of the file starting with "PE"). 

The signature below will only trigger on binaries compiled at the same 
precise second in time, which was Tue Jun 24 14:38:09 2003. Just to 
raise the bar a little higher for false positives, I included the .aspack
label from the section name. Now it will only trigger on binaries compiled 
at exactly that time, and packed with aspack. These strings all occur 
within the first 470 bytes of the file, so it should trigger on the first 
packet of a transfer.

alert tcp any any -> any any (msg:"W32.Sobig.E Possible worm";
content:"|50 45 00 00 4C 01 04 00 91 9A F8 3E|"; content:".aspack"; rev:1;)

Note that PE+timestamp is not reliable on every windows binary, since
compilers are not required to set that field, and some use that field to
store other non-timestamp data.

And of course, this will only catch non-encoded network transfers, such
as when it spreads via netbios. It will obviously not trigger on the mime-
encoded emails which are the main avenue of propagation.


Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation

This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php 
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net 

More information about the Snort-sigs mailing list