[Snort-sigs] Quickie rule to catch the new price.zip virus going around

Paul Tinsley jackhammer at ...2420...
Tue Aug 10 11:24:11 EDT 2004


I am going to suggest the use of mine over the one you posted using
pcre as there are more name variations out there than you have in the
sig.  Thats why I used "within" to try and catch more randomization in
the file name.  Granted mine will fire on any *price*.zip file (with
no longer than 10 characters before or after price) but there will be
less false negatives.

A better way, IMHO, (NOTE: I haven't tried this) in pcre would be
something like content:"filename=";
pcre:"m/[\w\d\._-]*price[\w\d\._-]*\.zip/"  (I threw in . and - in
case they end up in later versions, right now i am not seeing any with
those characters, mainly one ore more underscores separating numbers
and words.

The other thing you need to be careful with is the fact that this worm
finds email addresses on the box it infects and looks at the MX record
 of the domain it is sending mail to.  If your users don't have many
external contacts most of the attacks will be on internal addresses.
If your MX mail servers live inside of your HOME_NET and you have a
default EXTERNAL_NET (!$HOME_NET,) you won't fire if the worm is using
your servers to send mail.

Another thing that might help reduce false positives, if you are only
looking for infected clients is to make a pass copy of the rule:
pass $SMTP_SERVERS any -> any 25 (rule junk here...)

That way if you have servers relaying between each other they won't
look like infected clients.

Thanks,
       Paul Tinsley


On Mon, 09 Aug 2004 16:57:51 -0500, Matthew Jonkman <matt at ...2436...> wrote:
> We've got a few more on bleedingsnort.com as well, the first was up
> about 3 and a half hours ago. I think my posts on it are still coming to
> the list.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
> Bagle Variant Requesting 2.jpg";
> reference:url,http.isc.sans.org/diary.php?date=2004-08-09; content:"GET
> /2.jpg"; sid:2001061; rev:3;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
> Bagle Variant Checking In";
> reference:url,vil.nai.com/vil/content/v_127423.htm;
> uricontent:"/spyware.php"; sid:2001064; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS
> Possible Bagle.AQ Worm Outbound"; content:"filename=";
> pcre:"m/(price2|new_price|08_price|newprice|new_price|price_new|price|price_08).zip/";
> nocase; sid:2001065; rev:1;)
> 
> Matt
> 
> 
> 
> Paul Tinsley wrote:
> > Comments welcome, as I said written in a hurry, seems to work in my
> > environment just fine.  If you are sitting somewhere that you can see
> > traffic between mail servers you may need to add a pass rule for the
> > mail servers as a source so they don't show up as infected sources.
> >
> > alert tcp any any -> any 25 (msg:"Price Virus traffic
> > (WORM_Bagle.AC)"; sid:1200035; rev:1;
> > reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AC;
> > content:"filename="; content:"price"; within: 10; content: ".zip";
> > within: 10;)
> >
> > Thanks,
> >           Paul Tinsley
> >
> > 
> > -------------------------------------------------------
> > SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
> > 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
> > Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
> > http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list