[Snort-users] Cyberkit signature

Eric Hines eric.hines at ...8860...
Tue Sep 2 05:41:09 EDT 2003


Erek,

I've received over 4,000 of these in the past few hours.. It's
definitely not ICMP PING Cyberkit 2.2 Windows traffic.. Which is what
your Snort ruleset will identify it as. I've pasted a few packets below
provided from our Applied Watch console.




EVENT INFORMATION:
Alert ID: 369762
Priority: 3
Timestamp: Sat Aug 30 04:24:02 CDT 2003
Signature ID: 483
Message: ICMP PING CyberKit 2.2 Windows

IP HEADER INFORMATION:
Ver: 4
Length: 92
Flags: 0
Checksum: 64097
Hlen: 5
ID: 55669
TTL: 115
Source IP: 66.168.141.28
TOS: 0
Offset: 0
Proto: 1
Dest IP: 66.167.97.94

ICMP PROTOCOL INFORMATION:
Type: 8
Code: 0
Checksum: 27040
ID: 512
Sequence #: 14090

PAYLOAD INFORMATION:
4500 005c d975 0000 7301 fa61 42a8 8d1c 42a7    E..\.u..s..aB...B.
615e 0800 69a0 0200 370a aaaa aaaa aaaa aaaa    a^..i...7.........
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa    ..................
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa    ..................
aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa aaaa    ..................
aaaa                                            ..                

NOTE INFORMATION:

====================================================================


Regards,

Eric Hines
CEO, Chairman

===============================================

Eric Hines
CEO, Chairman
Applied Watch Technologies, Inc.
eric.hines at ...8860...
-----------------------------------------------
Corporate Headquarters
1650 Carlemont Dr. 
Suite D 
Crystal Lake, IL. 60014 
-----------------------------------------------
Direct Toll Free: (877) 262-7593 (x327)
Fax: (815) 425-2173 
-----------------------------------------------
Main Switchboard: (877) 262-7593 (9am-5pm CST)
Commercial Sales: (877) 262-7593 (opt1)
Government Sales: (877) 262-7593 (opt2)

===============================================


-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Friday, August 22, 2003 12:04 PM
To: djmurd at ...5190...
Cc: snort-users at lists.sourceforge.net; intrusions at ...2034...
Subject: Re: [Snort-users] Cyberkit signature


On Thu, 21 Aug 2003 djmurd at ...5190... wrote:

> Hey there - can any of you please point me to some reliable 
> information that says the "cyberkit 2.2" signature is really the 
> Nachia / Welchia worm?

Do you see a ton of them?  Are they coming from Win32 based hosts?  Then
probably yes.  :)  I forget where, but there was a writeup that had a
breakdown of the packets involved.  IIRC, there was a particular set of
bytes in the ping packet that you could trigger on.

> I need some more ammo in order to block ICMP for our network...

Blocking ICMP is bad, M'kay?  </Mr.MackeyVoice>

You break MTU-Path discovery and a couple of other things.  You can if
you want, but it can wreak havoc on Solaris boxes if you're not careful.
Consider blocking the ICMP echo request of only the size that the worm
uses.  It's something odd like 91 bytes I think...

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson







More information about the Snort-users mailing list