Re: Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

["Gaddis, Jeremy L." <jeremy () linuxwiz net>]

Gadi Evron wrote:
> This is an urgent alert released by the cooperative efforts of the MWP /
> DA groups that also worked on the hurricane Rita scams. This task force is
> now known as the TISF BlackWorm task force.
> This task force involves many in the security (anti spam, CERTs, anti
> virus, academia, ISP's, etc.) community and industry, working together to
> combat threats to the security of the Internet in cooperation with law enforcement globally.

Thanks for the info, Gadi.  I've been a bit behind and this is the first 
I'd hear of Blackworm.

> alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request
> without referrer (possible BlackWorm infection)";
> content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
> content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
> classtype:misc-activity; sid:1000376; rev:1;)
>
> alert tcp any any -> any 80 (msg:"Agentless HTTP request to
> www.microsoft.com (possible BlackWorm infection)"; dsize:92;
> content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
> Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
> classtype:misc-activity; sid:1000377; rev:1;)

Thanks, Joe!  Checked my IDS and it had already updated itself and had 
these signatures.  I put together a small swatch config file to watch 
syslog (snort logs to MySQL and syslog) for these alerts.  Very useful 
for me since I'll actually be in the office for only two of the next 14 
days.  Details are at http://www.jeremygaddis.com/ if anyone's interested.

Thanks!
-j

--
Jeremy L. Gaddis, GCWN, Linux+, Network+
http://www.jeremygaddis.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/