[Snort-sigs] Anyone having Netsky.b Signatures??

Nick Hatch nick at ...2287...
Fri Feb 27 16:35:01 EST 2004


Here's the simple process I've been using for email worms/viruses. I'm 
almost embarrassed to post it publicly, but it might be helpful, and I 
know at least one person will tell me what I could do to improve.

- Run strings on the decoded viral attachment (zip, pif, etc). Find 
something that looks unique. I've been using HELO, which isn't the best 
idea if you're only looking for a specific virus. However, once you 
include some binary data, it should (*should*) be unique to the virus.

- Base64 encode the string. I use the following command:
 echo HELO | base64 -e

Because of the way base64 encoding works, the exact offset within the 
file changes how "HELO" appears in base64. I'm not sure how to explain 
this well. Read the base64 man pages, or try encoding "HELO" "1HELO" 
"22HELO" "333HELO" to see whats goings on.

-Some portion of one of the three base64 encoded HELO string will appear 
in the virus payload. Grep for it. You might have to play around. Once 
you find this portion of the email, grab x characters to each side of 
the HELO string and use that for the signature.

Feedback anyone?

-Nick

Andrews Carl 448 wrote:

>Nick,
>	Hi. I have several copies of the virus, but no idea how to make a
>signature based on the file(s). Do you know? I am using a linux server and
>have attempted to use hexdump to match existing rules for known virused, but
>so far have been less than successful.
>
>Thanks,
>Carl
>
>-----Original Message-----
>From: Nick Hatch [mailto:nick at ...2287...]
>Sent: Friday, February 27, 2004 1:45 PM
>To: snort-sigs at lists.sourceforge.net
>Subject: Re: [Snort-sigs] Anyone having Netsky.b Signatures??
>
>
>Here is the rule we're using, it appears to be working well. It only 
>detects the Base64 encoded payload, so it's not comprehensive; however, 
>it's a start.
>
>alert tcp any any -> any 25 (msg:"Virus - Netsky.b - Outgoing Mail"; 
>content:"QDHSEVMT9POPT7DTBNcs"; sid:1008000; rev:2;)
>
>-Nick
>
>Chintan Gosalia wrote:
>
>  
>
>>Hi,
>> 
>>Does anyone have netsky.b signature or payload for it??
>> 
>>Any help is appreciated.
>>    
>>
-- 
ResTek, Residential Technology Services
http://restek.wwu.edu, x2946





More information about the Snort-sigs mailing list