Edonkey Sigs

Stormy is the new P2P worm, mostly email borne. It's using Edonkey as a
C&C channel. I'm looking for a specific thing it does differently, but
so far all I have is a unique hash each variant looks up when it starts
up. That'll change on each variant, so not sure it's worth going after.

Rather, I wrote some new Edonkey sigs. These ought to be more reliable,
and cover many more operations in the protocol, especially the UDP stuff
we used to not have much for.  These will catch the stormy worm in
action, but just calling if edonkey activity. If that's an allowed
protocol on your network you'll have to check into it more closely.

More detail here. They'll be updating more through the day:

http://www.bleedingthreats.net/cgi-bin/viewcvs.cgi/sigs/P2P/P2P_Edonkey_Traffic?view=markup


Please test these if you have an edonkey client handy. The protocol
isn't documented, we're guessing here.

Matt
-- 
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc