[Snort-sigs] Here are some Netsky Worm Sigs

Tom.Mclaughlin at ...1486... Tom.Mclaughlin at ...1486...
Mon Mar 1 09:42:08 EST 2004


I believe these rules are specific enough to not generate many false 
positives. In fact if you generate alerts from these signatures then you 
are most likely looking at infected traffic. Some of the rules might 
generate false positives when these rules are emailed but that should be 
about it.

The source port is specified to help _reduce_ the chance of false 
positives and also to reduce the load of checking ports that aren't 
relevant.


-Tom

.oooO
 (   )  Oooo. 
  \ (     (   ) 
   \_)    ) /
          (_/





Chintan Gosalia <chintan_cmpe at ...144...>
02/27/2004 04:30 PM

 
        To:     Tom McLaughlin/CA/KAIPERM at ...1715..., snort-sigs at lists.sourceforge.net
        cc: 
        Subject:        Re: [Snort-sigs] Here are some Netsky Worm Sigs


Hi,
 
A quick question. Why here the signature 308,309 and 310 have source port 
number defined??? This may generate a lot of false positives?? Can u let 
me know why u have kept them in source port numbers???
 
Thanks.
Chintan

Tom.Mclaughlin at ...1486... wrote:

These are from samples of Netsky.C binary and base64  email attachments. 

-Tom
8-473-5286

.oooO
(   )  Oooo. 
 \ (     (   ) 
  \_)    ) /
         (_/




Chintan Gosalia <chintan_cmpe at ...144...> 
02/25/2004 02:48 PM 
        
        To:        Tom McLaughlin/CA/KAIPERM at ...1715..., 
snort-sigs at lists.sourceforge.net 
        cc:         
        Subject:        Re: [Snort-sigs] Here are some Netsky Worm Sigs



Hi, 
 
Thanks for these signatures. But I am wondering as from where did u find 
the pattern match for these signatures. Plz let me know. I think these are 
only for netsky.c. If not can you let me know whether they r for Netsky.b 
or netsky.c? 
  
Thank you for any help in advance. 
 
Chintan

Tom.Mclaughlin at ...1486... wrote: 

Here are a bunch of sigs that I found useful for this new worm... http://vil.nai.com/vil/content/v_101048.htm 

SID 
1003301 = Catches hosts infected when they try to do a DNS lookup using 
the servers listed 
1003303 = Netsky binary copied across smb 
1003304 = Netsky binary copied across smb Win2k to Win2k 
1003308 = Netsky base64 detatched! from lotus notes server 
1003309 = Netsky base64 crossing SMTP 
1003310 = Netsky binary downloading from HTTP IMAP server 

alert udp any any -> 
[145.253.2.171,151.189.13.35,193.141.40.42,193.189.244.205,193.193.144.12,193.193.158.10,194.25.2.129,194.25.2.130,194.25.2.131,194.25.2.132,194.25.2.133,194.25.2.134,195.185.185.195,195.20.224.234,212.185.252.136,212.185.252.73,212.185.253.70,212.44.160.8,212.7.128.162,212.7.128.165,213.191.74.19,217.5.97.137,62.155.255.16] 
53 (msg:"Netsky DNS lookup"; sid:1003301; rev:2;) 
alert tcp any any -> any 139 (msg:"Netsky message.zip HEX port 139"; 
content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 ! 01 00 08 
05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 
00 00|"; sid:1003303;) 
alert tcp any any -> any 445 (msg:"Netsky message.zip HEX port 445"; 
content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 
05 00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 
00 00|"; sid:1003304;) 
alert! tcp any 1352 -> any any (msg:"Netsky base64 port 1352"; 
content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003308;) 
alert tcp any 25 -> any any (msg:"Netsky base64 port 25"; 
content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003309;) 
alert tcp any 80 -> any any (msg:"Net! sky message.zip HEX port 80"; 
content:"|09 0D 00 0D 01 01 0D 0D 09 09 0D 44 0D 71 6D 00 6D 69 69 6D 6D 
61 61 6D 00 6D 69 53 53 53 4B|"; sid:1003310;) 

-Tom
8-473-5286

.oooO
(   )  Oooo. 
\ (     (   ) 
 \_)    ) /
        (_/ 
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want. 
Do you Yahoo!?
Get better spam protection with Yahoo! Mail

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20040301/f56c350c/attachment.html>


More information about the Snort-sigs mailing list