[Snort-sigs] Rule documentation for SID 5323
A. J. Wright
ajw at ...3223...
Tue May 16 04:19:22 EDT 2006
I had a couple of false positives regarding this rule, which I found
According to "http://www.snort.org/snort-db/help.html" I'm supposed
to send the information to this list.
A. J. Wright -- <ajw at ...3223...>
Senior Security Analyst, Information Security Office
University of Tennessee, Knoxville
# This is a template for submitting snort signature descriptions to
# the snort.org website
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
Rule: VIRUS Possible Sober virus set three NTP time check attempt
Summary: This rule fires when TCP traffic is initiated from $HOME_NET
to a list of NTP servers known to be used by the Sober virus series.
Impact: This event suggests that the source system is infected with
a version of the Sober virus.
Detailed Information: Several versions of the Sober e-mail worm
monitor a fixed list of NTP servers to determine when to download and
execute a file from a controlling web server.
This rule fires when Snort sees traffic on port 37/tcp (the port
commonly associated with the "time" protocol) to one of the following
184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124
126.96.36.199 188.8.131.52 184.108.40.206
As of May 2006, these resolve to the following names:
10.72.72.198.in-addr.arpa domain name pointer ns1.usg.edu.
220.127.116.11.in-addr.arpa is an alias for 2.0-18.104.22.168.in-
2.0-22.214.171.124.in-addr.arpa domain name pointer
126.96.36.199.in-addr.arpa domain name pointer verge.greyware.com.
188.8.131.52.in-addr.arpa domain name pointer time1.chu.nrc.ca.
184.108.40.206.in-addr.arpa domain name pointer
220.127.116.11.in-addr.arpa domain name pointer valinor.theunixman.com.
18.104.22.168.in-addr.arpa domain name pointer nist1.symmetricom.com.
Affected Systems: This email worm affects systems running the
Microsoft Windows family of operating systems.
Attack Scenarios: This virus is spread by self-generated email
messages containing a UPX-packed Visual Basic Script. This is
primarily a social engineering attack as the software must be
executed by the user.
Ease of Attack: Simple
False Positives: This alert is triggered if any system contacts the
aforementioned systems on 37/tcp.
False Negatives: Some Sober viruses may contact a different set of
NTP servers or no NTP server at all.
Corrective Action: Install up-to-date virus scanning software. Use
that to remove the malicious software from the infected system.
Contributors: Original rule writer unknown. This rule was added in
the December 30, 2005 rule update.
Documented by A. J. Wright <ajw at ...3223...> of the University of
Tennessee Information Security Office.
In these references, * represents the virus version letter. Due to
the number of Sober versions, this is often A-Z or sometimes A-ZZ or
Google: sober ntp
Wikipedia: Sober (computer worm)
More information about the Snort-sigs