[Emerging-Sigs] Strom binary sigs

Wed Jan 2 17:51:01 EST 2008

Matt:

I see you had the same idea I had with tracking the binary get requests.
These are the rules I had (only difference is the content match for GET) :

#Created by Jeremy Conway to catch Storm Worm Exe's
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file
download happy-2008.exe"; flow:to_server,established; con
tent:"GET "; depth:4; uricontent:"/happy-2008.exe"; nocase;
classtype:trojan-activity; sid:5000500; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file
download happynewyear2008.exe"; flow:to_server,establishe
d; content:"GET "; depth:4; uricontent:"/happynewyear2008.exe"; nocase;
classtype:trojan-activity; sid:5000501; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file
download happy2008.exe"; flow:to_server,established; cont
ent:"GET "; depth:4; uricontent:"/happy2008.exe"; nocase;
classtype:trojan-activity; sid:5000502; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file
download happynewyear.exe"; flow:to_server,established; c
ontent:"GET "; depth:4; uricontent:"/happynewyear.exe"; nocase;
classtype:trojan-activity; sid:5000503; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file
download stripshow.exe"; flow:to_server,established; cont
ent:"GET "; depth:4; uricontent:"/stripshow.exe"; nocase;
classtype:trojan-activity; sid:5000504; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file
download happy_2008.exe"; flow:to_server,established; con
tent:"GET "; depth:4; uricontent:"/happy_2008.exe"; nocase;
classtype:trojan-activity; sid:5000505; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file
download sony.exe"; flow:to_server,established; content:"
GET "; depth:4; uricontent:"/sony.exe"; nocase; classtype:trojan-activity;
sid:5000506; rev:1;)

The only one still firing is happy_2008.exe.

On another note: I have created a simple perl and bash script combo that
constantly quires the flux network DNS servers for new IPs and then
unobfisticates/unescapes the javascript in the html file to download the
newest binary for the storm worm.  It has been working fairly well and I
have about 6,000+ known bad IPs that have been hosting these files.  The bad
thing is most of the web servers for the storm worm seem to be on dial up
connections which is good for the fast flux network but sucks trying to
track them....  I figure I am going to add some more functionality to my
script tonight to do an MD5 hash and then submit changes to virustotal and
some other malware analysis groups.  This worm has just been driving us mad,
and well something has to give sooner or later....

Would any of this data be of use to you?

--jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080102/5bf71b95/attachment.html