[Snort-sigs] Storm worm rule

Paul Schmehl pauls at ...1311...
Wed Feb 13 18:01:16 EST 2008


--On Wednesday, February 13, 2008 14:14:01 -0800 Matt Jonkman 
<jonkman at ...829...> wrote:

>
> Paul Schmehl wrote:
>> OK, this is more like it.
>>
>> alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN
>> Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6 d4
>> c3|";  depth:4; threshold: type both, count 1, seconds 60, track by_src;
>> classtype:trojan-activity; sid:2007701; rev:2;)
>>
>> But there's no offset, so it could still false positive *and* the d4 c3
>> won't  be in every packet (as you can see from the capture that I posted)
>> whereas the  10 a6 will be in every packet (10 a6 is the encrypted protocol
>> signature for  eDonkey.)
>
> The depth anchors the first content match to be the first 4 bytes of the
> packet, so that avenue of FPs is handled.
>

You're right *if* you're referring to the first content match (which you are in 
this case) *or* you don't use an offset before depth.

> But these storm packets as far as I know aren't using the edonkey
> encrypted protocol, they're just XORing the entire packet against a
> 40-bit key. Joe Stewart reversed it and I wrote these sigs based upon
> his paper posted somewhere on the secureworks site.
>

I may have been given incorrect information.  I'll look at Joe's report.

> I would be surprised if this is the regular edonkey encryption
> protocols, but it's certainly possible. Do you have a spec handy on the
> encryption portion of the proto?
>

I looked for it but didn't find it.  (I found the unencrypted stuff but not the 
encrypted.)

-- 
Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/





More information about the Snort-sigs mailing list