[Snort-sigs] Storm worm rule

Matt Jonkman jonkman at ...829...
Wed Feb 13 17:14:01 EST 2008


Paul Schmehl wrote:
> OK, this is more like it.
> 
> alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN 
> Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6 d4 c3|"; 
> depth:4; threshold: type both, count 1, seconds 60, track by_src; 
> classtype:trojan-activity; sid:2007701; rev:2;)
> 
> But there's no offset, so it could still false positive *and* the d4 c3 won't 
> be in every packet (as you can see from the capture that I posted) whereas the 
> 10 a6 will be in every packet (10 a6 is the encrypted protocol signature for 
> eDonkey.)

The depth anchors the first content match to be the first 4 bytes of the
packet, so that avenue of FPs is handled.

But these storm packets as far as I know aren't using the edonkey
encrypted protocol, they're just XORing the entire packet against a
40-bit key. Joe Stewart reversed it and I wrote these sigs based upon
his paper posted somewhere on the secureworks site.

I would be surprised if this is the regular edonkey encryption
protocols, but it's certainly possible. Do you have a spec handy on the
encryption portion of the proto?

Matt


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc






More information about the Snort-sigs mailing list