[Snort-sigs] Quickie rule to catch the new price.zip virus going around

Matthew Jonkman matt at ...2436...
Tue Aug 10 18:19:44 EDT 2004


Paul Tinsley wrote:
> I am going to suggest the use of mine over the one you posted using
> pcre as there are more name variations out there than you have in the
> sig.  Thats why I used "within" to try and catch more randomization in
> the file name.  Granted mine will fire on any *price*.zip file (with
> no longer than 10 characters before or after price) but there will be
> less false negatives.

I'd agree, but I don't see any docs showing that there are any other 
filenames in use for this particular worm. If there were variations your 
way would certainly be better, and definitely more elegant. :)

But I think for this one if the filenames stay in this range they'll be 
reliably caught with this method.

But of course if there is evidence somewhere that there are more 
variations we can change over to your method.

> The other thing you need to be careful with is the fact that this worm
> finds email addresses on the box it infects and looks at the MX record
>  of the domain it is sending mail to.  If your users don't have many
> external contacts most of the attacks will be on internal addresses.
> If your MX mail servers live inside of your HOME_NET and you have a
> default EXTERNAL_NET (!$HOME_NET,) you won't fire if the worm is using
> your servers to send mail.

THat's a good point. Hopefully we'd catch the multiple smtp connections 
for the mail being sent with other rules in effect, but if they're on 
exchange we'd not see that. But the odds of not having a single external 
domain on a box are pretty slim. I think every box would have at least 
microsoft.com, or whatever mail client they're using in there somewhere.

What would be ideal is a packet dump of the actual worm binary that we 
could extract a unique string from and look for that on all ports, but 
that would be a lot of overhead for snort so string match every packet 
on every port.

> 
> Another thing that might help reduce false positives, if you are only
> looking for infected clients is to make a pass copy of the rule:
> pass $SMTP_SERVERS any -> any 25 (rule junk here...)
> 

Very good point. I'll leave that out of the bleeding rules though to 
avoid confusion.

Thanks very much for the ideas. Much appreciated.

Matt




More information about the Snort-sigs mailing list