[Snort-sigs] doc for sids 1:10065->1:10077 (Storm Trojan, Trojan.Peacom)

Nigel Houghton nigel at ...435...
Thu Jan 25 10:49:47 EST 2007


On  0, "David Morris" <icurnet at ...2420...> wrote:
>    Basic  documentation  for  SIDs  1:10065  thru  1:10077 for the 'Storm
>    Trojan' (Trojan.Peacomm) that is of news lately.
>    # This is a template for submitting snort signature descriptions to
>    # the snort.org website
>    #
>    # Ensure that your descriptions are your own
>    # and not the work of others.  References in the rules themselves
>    # should be used for linking to other's work.
>    #
>    # If you are unsure of some part of a rule, use that as a commentary
>    # and someone else perhaps will be able to fix it.
>    #
>    # $Id$
>    #
>    #
>    Rule:   SPECIFIC-THREATS  Trojan  Peacomm  smtp propagation detection"
>    (1:10065)  (thru sid 1:10077)
>    --
>    Sid: 1:10065  (thru 1:10077)
>    --
>    Summary:  An  executable  attachment  received  via  e-mail that, once
>    executed by the user, compromises the users pc by installing
>    a root kit and a udp communication channel for distribution of SPAM.
>    --
>    Impact: High
>    --
>    Detailed  Information:  An  executable  attachment received via e-mail
>    that,  once  executed  by  the  user,  compromizes  the  users  pc  by
>    installing
>    a  root  kit and a udp communication channel for distribution of SPAM.
>    Users are lured into opening the attachment by describing
>    it  as  a  video  news  story  related  to  current  news  events. The
>    subject/body of the e-mail varies.
>    Once  compromized,  the  pc will start sending high volumes (2000-3000
>    msgs/min)  of  mail  traffic.  The  backdoor udp communication channel
>    typically uses udp/4000 and udp/7871 to communicate with a botnet.
>    Known as Storm Trojan, Trojan.Peacom (Symantec)
>    --
>    Affected Systems: Microsoft Windows Operating Systems
>    --
>    Attack Scenarios:
>    --
>    Ease  of  Attack:  Simple, the user runs an attachment sent to them by
>    e-mail.
>    --
>    False Positives: none known
>    --
>    False Negatives: none known
>    --
>    Corrective  Action: Patch Operating System and AntiVirus program. Drop
>    .exe attachments inbound/outbound. Educate users.
>    --
>    Contributors: David Morris, CISSP icurnet at ...2420...
>    --
>    Additional References:
>    http://www.symantec.com/outbreak/storm_trojan.html

Thanks for your submission. These rules actually have documentation but
I will include the information you include here.

--
Nigel Houghton
Office Linebacker
SF VRT




More information about the Snort-sigs mailing list