Gadi Evron wrote:
This is an urgent alert released by the cooperative efforts of the MWP / DA groups that also worked on the hurricane Rita scams. This task force is now known as the TISF BlackWorm task force. This task force involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.
Thanks for the info, Gadi. I've been a bit behind and this is the first I'd hear of Blackworm.
alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm infection)"; content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|"; content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|"; classtype:misc-activity; sid:1000376; rev:1;) alert tcp any any -> any 80 (msg:"Agentless HTTP request to www.microsoft.com (possible BlackWorm infection)"; dsize:92; content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a| Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|"; classtype:misc-activity; sid:1000377; rev:1;)
Thanks, Joe! Checked my IDS and it had already updated itself and had these signatures. I put together a small swatch config file to watch syslog (snort logs to MySQL and syslog) for these alerts. Very useful for me since I'll actually be in the office for only two of the next 14 days. Details are at http://www.jeremygaddis.com/ if anyone's interested.
Thanks! -j -- Jeremy L. Gaddis, GCWN, Linux+, Network+ http://www.jeremygaddis.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/