[Snort-sigs] New MiMail infection signature

Ken Bell kbell at ...1998...
Mon Nov 3 07:00:11 EST 2003


I get the digest version of snort-sigs, so someone may have already posted
this today...

One of the our in-house systems got a MiMail variant infected email, which
should have been blocked at our borders.


One of the results of MiMail is that it attacks 'www.darkprofits.com' on
port 80. I threw this together to look for that outbound traffic and found
about 100 infected systems with thousands of hits against this on our
network in about 2 minutes:

alert tcp any any -> 80 (msg:"Infected with new MiMail";
classtype:policy-violation; sid:10000003; rev:1;)

We have no business going to this address, especially with thousands of
hits, so it's safe to say that all IPs hitting this system are infected.


Ken Bell

More information about the Snort-sigs mailing list