[Snort-sigs] Rule documentation for SID 5323

A. J. Wright ajw at ...3223...
Tue May 16 04:19:22 EDT 2006


I had a couple of false positives regarding this rule, which I found  
undocumented.

According to "http://www.snort.org/snort-db/help.html" I'm supposed  
to send the information to this list.

Thanks,
--aj

A. J. Wright -- <ajw at ...3223...>
Senior Security Analyst, Information Security Office
University of Tennessee, Knoxville

--SNIP--

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule: VIRUS Possible Sober virus set three NTP time check attempt

--
Sid: 1:5323

--
Summary: This rule fires when TCP traffic is initiated from $HOME_NET  
to a list of NTP servers known to be used by the Sober virus series.

--
Impact:  This event suggests that the source system is infected with  
a version of the Sober virus.

--
Detailed Information: Several versions of the Sober e-mail worm  
monitor a fixed list of NTP servers to determine when to download and  
execute a file from a controlling web server.

This rule fires when Snort sees traffic on port 37/tcp (the port  
commonly associated with the "time" protocol) to one of the following  
IP addresses:

198.72.72.10 200.254.135.2 208.14.208.19 209.87.233.53  
213.239.201.102 216.193.203.2 69.25.96.13

As of May 2006, these resolve to the following names:

10.72.72.198.in-addr.arpa domain name pointer ns1.usg.edu.

2.135.254.200.in-addr.arpa is an alias for 2.0-63.135.254.200.in- 
addr.arpa.
2.0-63.135.254.200.in-addr.arpa domain name pointer  
garfield.massayonet.com.br.

19.208.14.208.in-addr.arpa domain name pointer verge.greyware.com.

53.233.87.209.in-addr.arpa domain name pointer time1.chu.nrc.ca.

102.201.239.213.in-addr.arpa domain name pointer  
hendrek.colo.frell.eu.org.

2.203.193.216.in-addr.arpa domain name pointer valinor.theunixman.com.

13.96.25.69.in-addr.arpa domain name pointer nist1.symmetricom.com.

--
Affected Systems: This email worm affects systems running the  
Microsoft Windows family of operating systems.

--
Attack Scenarios: This virus is spread by self-generated email  
messages containing a UPX-packed Visual Basic Script.  This is  
primarily a social engineering attack as the software must be  
executed by the user.

--
Ease of Attack: Simple

--
False Positives: This alert is triggered if any system contacts the  
aforementioned systems on 37/tcp.

--
False Negatives: Some Sober viruses may contact a different set of  
NTP servers or no NTP server at all.

--
Corrective Action: Install up-to-date virus scanning software.  Use  
that to remove the malicious software from the infected system.

--
Contributors: Original rule writer unknown.  This rule was added in  
the December 30, 2005 rule update.
Documented by A. J. Wright <ajw at ...3223...> of the University of  
Tennessee Information Security Office.

--
Additional References:

In these references, * represents the virus version letter.  Due to  
the number of Sober versions, this is often A-Z or sometimes A-ZZ or  
longer.

F-Secure: Sober.*
Symantec: W32.Sober.*@mm
McAfee: W32/Sober.*@mm
Trend: WORM_SOBER.*
Google: sober ntp
Wikipedia: Sober (computer worm)




More information about the Snort-sigs mailing list