[Snort-sigs] Anyone having Netsky.b Signatures??
nick at ...2287...
Fri Feb 27 16:35:01 EST 2004
Here's the simple process I've been using for email worms/viruses. I'm
almost embarrassed to post it publicly, but it might be helpful, and I
know at least one person will tell me what I could do to improve.
- Run strings on the decoded viral attachment (zip, pif, etc). Find
something that looks unique. I've been using HELO, which isn't the best
idea if you're only looking for a specific virus. However, once you
include some binary data, it should (*should*) be unique to the virus.
- Base64 encode the string. I use the following command:
echo HELO | base64 -e
Because of the way base64 encoding works, the exact offset within the
file changes how "HELO" appears in base64. I'm not sure how to explain
this well. Read the base64 man pages, or try encoding "HELO" "1HELO"
"22HELO" "333HELO" to see whats goings on.
-Some portion of one of the three base64 encoded HELO string will appear
in the virus payload. Grep for it. You might have to play around. Once
you find this portion of the email, grab x characters to each side of
the HELO string and use that for the signature.
Andrews Carl 448 wrote:
> Hi. I have several copies of the virus, but no idea how to make a
>signature based on the file(s). Do you know? I am using a linux server and
>have attempted to use hexdump to match existing rules for known virused, but
>so far have been less than successful.
>From: Nick Hatch [mailto:nick at ...2287...]
>Sent: Friday, February 27, 2004 1:45 PM
>To: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Anyone having Netsky.b Signatures??
>Here is the rule we're using, it appears to be working well. It only
>detects the Base64 encoded payload, so it's not comprehensive; however,
>it's a start.
>alert tcp any any -> any 25 (msg:"Virus - Netsky.b - Outgoing Mail";
>content:"QDHSEVMT9POPT7DTBNcs"; sid:1008000; rev:2;)
>Chintan Gosalia wrote:
>>Does anyone have netsky.b signature or payload for it??
>>Any help is appreciated.
ResTek, Residential Technology Services
More information about the Snort-sigs