[Snort-sigs] Storm worm rule

Paul Schmehl pauls at ...1311...
Wed Feb 13 18:01:16 EST 2008

--On Wednesday, February 13, 2008 14:14:01 -0800 Matt Jonkman 
<jonkman at ...829...> wrote:

> Paul Schmehl wrote:
>> OK, this is more like it.
>> alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN
>> Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"|10 a6 d4
>> c3|";  depth:4; threshold: type both, count 1, seconds 60, track by_src;
>> classtype:trojan-activity; sid:2007701; rev:2;)
>> But there's no offset, so it could still false positive *and* the d4 c3
>> won't  be in every packet (as you can see from the capture that I posted)
>> whereas the  10 a6 will be in every packet (10 a6 is the encrypted protocol
>> signature for  eDonkey.)
> The depth anchors the first content match to be the first 4 bytes of the
> packet, so that avenue of FPs is handled.

You're right *if* you're referring to the first content match (which you are in 
this case) *or* you don't use an offset before depth.

> But these storm packets as far as I know aren't using the edonkey
> encrypted protocol, they're just XORing the entire packet against a
> 40-bit key. Joe Stewart reversed it and I wrote these sigs based upon
> his paper posted somewhere on the secureworks site.

I may have been given incorrect information.  I'll look at Joe's report.

> I would be surprised if this is the regular edonkey encryption
> protocols, but it's certainly possible. Do you have a spec handy on the
> encryption portion of the proto?

I looked for it but didn't find it.  (I found the unencrypted stuff but not the 

Paul Schmehl (pauls at ...1311...)
Senior Information Security Analyst
The University of Texas at Dallas

More information about the Snort-sigs mailing list