[Snort-sigs] Here are some Netsky Worm Sigs

Mark.Schutzmann at ...2233... Mark.Schutzmann at ...2233...
Mon Mar 1 14:06:03 EST 2004


Is anyone aware of whether these will still work for Netsky.D or are there
any new sigs in development for it? The signatures below worked very well
for me in detecting Netsky.C.

Thanks,
Mark


                                                                                                                                                 
                      Tom.Mclaughlin at ...1486...                                                                                                      
                      Sent by:                           To:       snort-sigs at lists.sourceforge.net                                              
                      snort-sigs-admin at ...551...        cc:                                                                                     
                      ceforge.net                        Subject:  Re: [Snort-sigs] Here are some Netsky Worm Sigs                               
                                                                                                                                                 
                                                                                                                                                 
                      02/25/2004 05:49 PM                                                                                                        
                                                                                                                                                 
                                                                                                                                                 





These are from samples of Netsky.C binary and base64  email attachments.

-Tom
8-473-5286

.oooO
(   )  Oooo.
 \ (     (   )
  \_)    ) /
         (_/


                                                                          
   Chintan Gosalia                                                        
   <chintan_cmpe at ...144...>           To:        Tom                      
                              McLaughlin/CA/KAIPERM at ...1715...,              
                              snort-sigs at lists.sourceforge.net            
   02/25/2004 02:48 PM                cc:                                 
                                      Subject:        Re: [Snort-sigs]    
                              Here are some Netsky Worm Sigs              
                                                                          





Hi,

Thanks for these signatures. But I am wondering as from where did u find
the pattern match for these signatures. Plz let me know. I think these are
only for netsky.c. If not can you let me know whether they r for Netsky.b
or netsky.c?

Thank you for any help in advance.

Chintan

Tom.Mclaughlin at ...1486... wrote:

Here are a bunch of sigs that I found useful for this new worm...
http://vil.nai.com/vil/content/v_101048.htm

SID
1003301 = Catches hosts infected when they try to do a DNS lookup using the
servers listed
1003303 = Netsky binary copied across smb
1003304 = Netsky binary copied across smb Win2k to Win2k
1003308 = Netsky base64 detatched from lotus notes server
1003309 = Netsky base64 crossing SMTP
1003310 = Netsky binary downloading from HTTP IMAP server

alert udp any any ->
[145.253.2.171,151.189.13.35,193.141.40.42,193.189.244.205,193.193.144.12,193.193.158.10,194.25.2.129,194.25.2.130,194.25.2.131,194.25.2.132,194.25.2.133,194.25.2.134,195.185.185.195,195.20.224.234,212.185.252.136,212.185.252.73,212.185.253.70,212.44.160.8,212.7.128.162,212.7.128.165,213.191.74.19,217.5.97.137,62.155.255.16]
 53 (msg:"Netsky DNS lookup"; sid:1003301; rev:2;)

alert tcp any any -> any 139 (msg:"Netsky message.zip HEX port 139";
content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05
00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00
00|"; sid:1003303;)
alert tcp any any -> any 445 (msg:"Netsky message.zip HEX port 445";
content:"|60 00 00 E0 2E 70 65 74 69 74 65 00 00 10 00 00 00 90 01 00 08 05
00 00 00 5E 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00
00|"; sid:1003304;)
alert! tcp any 1352 -> any any (msg:"Netsky base64 port 1352";
content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003308;)
alert tcp any 25 -> any any (msg:"Netsky base64 port 25";
content:"8FI0MxBcdcOwU0QzEFL0MwBXBDMQWsS2wFIkMxBcdcOgUqQz"; sid:1003309;)
alert tcp any 80 -> any any (msg:"Netsky message.zip HEX port 80";
content:"|09 0D 00 0D 01 01 0D 0D 09 09 0D 44 0D 71 6D 00 6D 69 69 6D 6D 61
61 6D 00 6D 69 53 53 53 4B|"; sid:1003310;)

-Tom
8-473-5286

.oooO
(   )  Oooo.
\ (     (   )
 \_)    ) /
        (_/


Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.












More information about the Snort-sigs mailing list