[Snort-sigs] doc for sids 1:10065->1:10077 (Storm Trojan, Trojan.Peacom)

David Morris icurnet at ...2420...
Thu Jan 25 10:51:42 EST 2007


Hi Nigel, snort.org does not list any documentation for them when using the
search function. I forgot to check our Sf install first ;)  but I hope I
helped in some small way.

David

On 1/25/07, Nigel Houghton <nigel at ...435...> wrote:
>
> On  0, "David Morris" <icurnet at ...2420...> wrote:
> >    Basic  documentation  for  SIDs  1:10065  thru  1:10077 for the
> 'Storm
> >    Trojan' (Trojan.Peacomm) that is of news lately.
> >    # This is a template for submitting snort signature descriptions to
> >    # the snort.org website
> >    #
> >    # Ensure that your descriptions are your own
> >    # and not the work of others.  References in the rules themselves
> >    # should be used for linking to other's work.
> >    #
> >    # If you are unsure of some part of a rule, use that as a commentary
> >    # and someone else perhaps will be able to fix it.
> >    #
> >    # $Id$
> >    #
> >    #
> >    Rule:   SPECIFIC-THREATS  Trojan  Peacomm  smtp propagation
> detection"
> >    (1:10065)  (thru sid 1:10077)
> >    --
> >    Sid: 1:10065  (thru 1:10077)
> >    --
> >    Summary:  An  executable  attachment  received  via  e-mail that,
> once
> >    executed by the user, compromises the users pc by installing
> >    a root kit and a udp communication channel for distribution of SPAM.
> >    --
> >    Impact: High
> >    --
> >    Detailed  Information:  An  executable  attachment received via
> e-mail
>
> >    that,  once  executed  by  the  user,  compromizes  the  users  pc  by
> >    installing
> >    a  root  kit and a udp communication channel for distribution of
> SPAM.
> >    Users are lured into opening the attachment by describing
> >    it  as  a  video  news  story  related  to  current  news  events.
> The
> >    subject/body of the e-mail varies.
> >    Once  compromized,  the  pc will start sending high volumes
> (2000-3000
> >    msgs/min)  of  mail  traffic.  The  backdoor udp communication
> channel
> >    typically uses udp/4000 and udp/7871 to communicate with a botnet.
> >    Known as Storm Trojan, Trojan.Peacom (Symantec)
> >    --
> >    Affected Systems: Microsoft Windows Operating Systems
> >    --
> >    Attack Scenarios:
> >    --
> >    Ease  of  Attack:  Simple, the user runs an attachment sent to them
> by
> >    e-mail.
> >    --
> >    False Positives: none known
> >    --
> >    False Negatives: none known
> >    --
> >    Corrective  Action: Patch Operating System and AntiVirus program.
> Drop
> >    .exe attachments inbound/outbound. Educate users.
> >    --
> >    Contributors: David Morris, CISSP icurnet at ...2420...
> >    --
> >    Additional References:
> >    http://www.symantec.com/outbreak/storm_trojan.html
>
> Thanks for your submission. These rules actually have documentation but
> I will include the information you include here.
>
> --
> Nigel Houghton
> Office Linebacker
> SF VRT
>
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share
> your
> opinions on IT & business topics through brief surveys - and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20070125/33fefd52/attachment.html>


More information about the Snort-sigs mailing list