[Snort-sigs] sig for korgo worm

Lin Zhong Lin.Zhong at ...2386...
Fri Jun 4 12:43:10 EDT 2004


I am trying to develop sig for korgo. 

# LSASS rules from snortrules-snapshot-CURRENT June 4

alert_nolog tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; flowbits:noalert; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:4;)
alert_nolog tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:noalert; flowbits:set,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:3;)
alert_nolog tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:5;)
alert_nolog tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:5;)

#detect traffic on the known ports Korgo used : 445, 113, 6667, 3067, 2041

alert_nolog tcp any any -> any 113 ( msg:"Korgo open IDENT server"; classtype: misc-activity; reference:url,www.f-secure.com/v-descs/korgo.shtml; sid:1000007; rev:1;)
alert_nolog tcp any any -> any 445 ( msg:"Korgo contact remote computer"; classtype: misc-activity; reference:url,www.f-secure.com/v-descs/korgo.shtml; sid:1000008; rev:1;)
alert_nolog tcp any any -> any 6667 ( msg:"Korgo contact IRC Server"; classtype: misc-activity; reference:url,www.f-secure.com/v-descs/korgo.shtml; sid:1000009; rev:1;)
alert_nolog tcp any any -> any 3067 ( msg:"Korgo receive command from port 3067"; classtype: misc-activity; reference:url,www.f-secure.com/v-descs/korgo.shtml; sid:1000010; rev:1;)
alert_nolog tcp any any -> any 2041 ( msg:"Korgo receive command from port 2041"; classtype: misc-activity; reference:url,www.f-secure.com/v-descs/korgo.shtml; sid:1000011; rev:1;)

Korgo also used other random tcp ports, but it is hard to predict what port it use. 

Any comments?

--
Lin




More information about the Snort-sigs mailing list