[Snort-sigs] Kibuv.Worm signature anyone?

Tony Bunce tonyb at ...2512...
Wed May 26 21:28:05 EDT 2004

Well let me explain the process and then everyone will understand why we
need to know why we need to know what virus it is.

The way our system works is that once ids detects an infected user it
looks up the username via ip then marks the user as infected in our sql
table along with the time and virus.  The next time the user connects
the radius server know the user is infected based and they get a special
ip and dns server address.  The dns server returns the ip of one of our
webservers no matter what domain is queried.  Then the webserver finds
the username and virus based on the ip and sql table.  The web server
then gives the user instructions on how to remove the virus and download
the windows patch.  After that the user can mark themselves as clean and
dial up as normal.

Soooo.... that is why I need to know which virus the user is infected
with.  The point of the system is to eliminate tech support interaction
with such a large number of infected users.

I will try the sigs that were posted here on the list (thanks!!) and try
to go from there.  

Does anyone know where I can download or look at some packet dumps of
the viruses?

Thanks for all the help.

Thank you,
Tony Bunce, CCNA, Network+
Systems Administration
GO Concepts, Inc.
On GO yet?
Thank you for choosing GO Concepts as your Internet Services Partner!
You truly are what makes us GO!  Your input is important to us, so if we
have been helpful or if you feel we could have done a better job, please
let us know by emailing your praise, complaint, or suggestions to
directors at ...2513...

-----Original Message-----
From: bdh at ...2516... [mailto:bdh at ...2516...] On
Behalf Of Brian Howard
Sent: Wednesday, May 26, 2004 12:56 AM
To: Tony Bunce
Subject: Re: [Snort-sigs] Kibuv.Worm signature anyone?

You might consider a goal based process.  First, identify your goal.
it is to accurately report from the automated process to the techy who
to go clean the box, then by all means your automated system has to be
to identify, or does it?   Or, is your goal to automatically disconnect
suspicious users before their infection, whatever it is, infects other
users and the problem multiplies?   I would suggest the goal is the
and thus all your automated system needs to return is " looks like a
and it is up to the techy who remedies the situation to determine what
manner of duck or if indeed there even was a duck.

Personally, I have yet to actually see kibuv trigger (knock on wood),
although I have written a suite of rules to alert based on the
However, it does look like it would be quite different from
although  I also think that it would trigger sasser rules.   In my
experience, the generic NOOP rules seem to trigger hard on sasser before
anything else.

IMHO, all your system really needs to do is report "this looks bad".
nice if it can give a clue as to why, but the goal of the exercise is to
track down and kill everything that looks like a duck, we are not
birdwatchers that collect exact IDs.
Let those responsible for cleanup run current anti-virus sigs on the box
determine exactly what it was after it has been pulled off the network.
I also believe that any system should have a high percentage of "false
positives" built in, that is why I tend to dislike automated systems and
prefer the judgement of a person be involved in the process.

Just a little different view.  And I must admit based on a 24/7 'war
with a large budget.  You may not be able to afford the luxury of
such a wide net, but I do think the idea  valid on the small scale.

Tony Bunce wrote:

> We use snort as part of an automated system to deactive infected user
> accounts so we need to tell the difference between Blaster, Sasser,
> Kibuv.
> Is there anyway to do this?
> Thank you,
> Tony Bunce, CCNA, Network+
> Systems Administration
> GO Concepts, Inc.
> www.go-concepts.com
> www.sitesbygo.com
> On GO yet?
> 513-934-2800
> 1-888-ON-GO-YET

More information about the Snort-sigs mailing list