[Snort-sigs] Kibuv.Worm signature anyone?

Matthew Watchinski mwatchinski at ...435...
Tue May 25 13:26:15 EDT 2004


The simple answer is yes and no :)

Currently the snort rule set detects the exploitation of the vulnerabilities
these worms travel by.  This means that the alert you get when under attack by
Sasser or some script kiddie running one of the 20 public LSASS exploits you get
the same alert.  This is by design, when you create a snort rule you want to
make sure you catch the exploitation of the vulnerability not just a single
script that exploits the vulnerability.

There are some things you can do if you want to locate infected systems and or
specific worms.

1. Set your snort.conf variables correctly for what you want to find.  Most
snort rules are structured from the perception you want to see attackers trying
to come in from the outside. Worm traffic usually comes from hosts on your
internal network attacking outwards.

2. Write new rules specific to the worm you want to catch.  Blaster, Sasser,
Kibuv may have very odd or detectable attributes outside the actual exploit they
use.  (or they might not).  This is usually not a good idea as anyone trying to
exploit a vulnerability should be a policy violation whether or not they are
infected.  They could just be exploiting hosts for fun and profit.

Mileage may vary with all above suggestions, use the ones that fit your network
environment and the job you want to do.

Hope that helps.

Cheers,
-matt

Tony Bunce wrote:
> We use snort as part of an automated system to deactive infected user
> accounts so we need to tell the difference between Blaster, Sasser, and
> Kibuv.
>
> Is there anyway to do this?
>
> Thank you,
> Tony Bunce, CCNA, Network+
> Systems Administration
> GO Concepts, Inc.
> www.go-concepts.com
> www.sitesbygo.com
> On GO yet?
> 513-934-2800
> 1-888-ON-GO-YET
>
> ==========================
> Thank you for choosing GO Concepts as your Internet Services Partner!
> You truly are what makes us GO!  Your input is important to us, so if we
> have been helpful or if you feel we could have done a better job, please
> let us know by emailing your praise, complaint, or suggestions to
> directors at ...2513...
>
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Nigel
> Houghton
> Sent: Tuesday, May 25, 2004 11:15 AM
> To: Sumeet SINGH
> Cc: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Kibuv.Worm signature anyone?
>
> On  0, Sumeet SINGH <susingh at ...2510...> allegedly wrote:
>
>>hi
>>
>>does anyone have a signature for Kibuv?
>>
>>
>
> http://securityresponse.symantec.com/avcenter/venc/data/w32.kibuv.worm.h
> tml
>
> Kibuv uses multiple attack vectors to infect hosts, namely
> vulnerabilities
> in LSASS, Messenger Service, RPC DCOM and WebDav.
>
> Rules already exist to detect possible attempts to leverage attacks
> against these services.
>
> The worm may also try to exploit the UPnP vulnerability too, although it
> tries on port 5000 not 1900. The Snort rules for UPnP specify port 1900,
> you could use those and change the port for your local.rules file. I
> believe the rule in question for Kibuv would be sid 1384, which detects
> attempts to exploit UPnP using "NOTIFY".
>
> If you suspect you might have an infected host, try connecting to the
> services started by Kibuv on that host.
>
>
>>regards
>>-- sumeet
>
>
> -------------------------------------------------------------
> Nigel Houghton       Research Engineer        Sourcefire Inc.
>                  Vulnerability Research Team
>
> In an emergency situation involving two or more officers of equal rank,
> seniority will be granted to whichever officer can program a vcr.
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
>
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: Oracle 10g
> Get certified on the hottest thing ever to hit the market... Oracle 10g.
> Take an Oracle 10g class now, and we'll give you the exam FREE.
> http://ads.osdn.com/?ad_id149&alloc_id?66&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs





More information about the Snort-sigs mailing list