[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)



Gadi Evron wrote:
This is an urgent alert released by the cooperative efforts of the MWP /
DA groups that also worked on the hurricane Rita scams. This task force is
now known as the TISF BlackWorm task force.
This task force involves many in the security (anti spam, CERTs, anti
virus, academia, ISP's, etc.) community and industry, working together to
combat threats to the security of the Internet in cooperation with law 
enforcement globally.

Thanks for the info, Gadi. I've been a bit behind and this is the first I'd hear of Blackworm.

alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)

alert tcp any any -> any 80 (msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
classtype:misc-activity; sid:1000377; rev:1;)

Thanks, Joe! Checked my IDS and it had already updated itself and had these signatures. I put together a small swatch config file to watch syslog (snort logs to MySQL and syslog) for these alerts. Very useful for me since I'll actually be in the office for only two of the next 14 days. Details are at http://www.jeremygaddis.com/ if anyone's interested.

Thanks!
-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
http://www.jeremygaddis.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/