[Emerging-Sigs] Strom binary sigs
jonkman@jonkmans.com
jonkman at jonkmans.com
Wed Jan 2 18:09:09 EST 2008
Absolutely! That is very useful data. We can incorporate into te compromised list. Will ping you offlist.
Matt
Sent via BlackBerry by AT&T
-----Original Message-----
From: Jeremy <cjeremy at gmail.com>
Date: Wed, 2 Jan 2008 16:51:01
To:emerging-sigs at emergingthreats.net
Subject: [Emerging-Sigs] Strom binary sigs
Matt:
I see you had the same idea I had with tracking the binary get requests. These are the rules I had (only difference is the content match for GET) :
#Created by Jeremy Conway to catch Storm Worm Exe's
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file download happy-2008.exe"; flow:to_server,established; con
tent:"GET "; depth:4; uricontent:"/happy-2008.exe"; nocase; classtype:trojan-activity; sid:5000500; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file download happynewyear2008.exe"; flow:to_server,establishe
d; content:"GET "; depth:4; uricontent:"/happynewyear2008.exe"; nocase; classtype:trojan-activity; sid:5000501; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file download happy2008.exe"; flow:to_server,established; cont
ent:"GET "; depth:4; uricontent:"/happy2008.exe"; nocase; classtype:trojan-activity; sid:5000502; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file download happynewyear.exe"; flow:to_server,established; c
ontent:"GET "; depth:4; uricontent:"/happynewyear.exe"; nocase; classtype:trojan-activity; sid:5000503; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file download stripshow.exe"; flow:to_server,established; cont
ent:"GET "; depth:4; uricontent:"/stripshow.exe"; nocase; classtype:trojan-activity; sid:5000504; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file download happy_2008.exe"; flow:to_server,established; con
tent:"GET "; depth:4; uricontent:"/happy_2008.exe"; nocase; classtype:trojan-activity; sid:5000505; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Storm Worm file download sony.exe"; flow:to_server,established; content:"
GET "; depth:4; uricontent:"/sony.exe"; nocase; classtype:trojan-activity; sid:5000506; rev:1;)
The only one still firing is happy_2008.exe.
On another note: I have created a simple perl and bash script combo that constantly quires the flux network DNS servers for new IPs and then unobfisticates/unescapes the javascript in the html file to download the newest binary for the storm worm. It has been working fairly well and I have about 6,000+ known bad IPs that have been hosting these files. The bad thing is most of the web servers for the storm worm seem to be on dial up connections which is good for the fast flux network but sucks trying to track them.... I figure I am going to add some more functionality to my script tonight to do an MD5 hash and then submit changes to virustotal and some other malware analysis groups. This worm has just been driving us mad, and well something has to give sooner or later....
Would any of this data be of use to you?
--jeremy
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
More information about the Emerging-sigs
mailing list