osdir.com
mailing list archive

Subject: Re: Storm TCP Sigs - msg#00019

List: security.ids.snort.bleedingsnort

Date: Prev Next Index Thread: Prev Next Index
Haha, that's a good movie!

Still haven't found a better way to detect that tcp connection. Still
thinking on it though. The UDP stuff should still hit for now...

Matt

Will Metcalf wrote:
> It's ok Jonkman we've got it from here..... ;-)
>
> http://www.hollywoodblog.globolog.com.br/airplane2.jpg
>
> Regards,
>
> Will
>
> On 10/16/07, Matt Jonkman <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>
> wrote:
>> I would agree. I'm traveling so can't look into it at the moment, but
>> I'll disable the sigs for now.
>>
>> Matt
>>
>> Russell Fulton wrote:
>>> Ouch!!!
>>>
>>> Time Window for this screen:* **Tue Oct 16 14:13:32 2007 * to * Tue Oct
>>> 16 14:51:49 2007*
>>>
>>>
>>> Signature Total Events IP Srcs IP Dsts Sensor
>>> Latest Timestamp
>>> BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none>
>>> 8967
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none>
>>> 681
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipdst=distinct&groupby=ip>
>>> 214
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipsrc=distinct&groupby=ip>
>>> 1
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=sensor>
>>> 2007-10-17 10:46:37
>>>
>>>
>>> I don't think I have that many undiscovered storm worms on campus!
>>>
>>> My guess is that Skype is triggering this.
>>>
>>> Russell
>>>
>>>
>>> Matt Jonkman wrote:
>>>> This new variant of Storm is using a short TCP connection for direct
>>>> commands apparently. Reverse engineered by Joe Stewart at Secureworks.
>>>> It's in essence 4bytes up from the drone, 4bytes back to setup and
>>>> authenticate eachother.
>>>>
>>>> These sigs will catch that setup. I can't imagine many situations where
>>>> these would false, but it is possible. Please report any issues.
>>>>
>>>> alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
>>>> (msg:"BLEEDING-EDGE TROJAN Storm Making initial outbound connection";
>>>> flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4;
>>>> classtype:trojan-activity; flowb
>>>> its:noalert; flowbits:set,BE.stormtcp.init;
>>>> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm;
>>>> sid:2007640; rev;1;)
>>>>
>>>> alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
>>>> (msg:"BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp";
>>>> flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4;
>>>> classtype:trojan-activity;
>>>> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm;
>>>> sid:2007641; rev:1;)
>>>>
>>>>
>>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Bleeding-sigs mailing list
>>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Bleeding Edge Threats
>> US Phone 765-429-0398
>> US Fax 312-264-0205
>> AUS Phone 61-42-4157-491
>> AUS Fax 61-29-4750-026
>> http://www.bleedingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> Return-Path:
> <bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> Delivered-To: 9-jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx
> Received: (qmail 16202 invoked from network); 17 Oct 2007 09:16:39 -0400
> Received: from bleedingedgethreat.com (HELO localhost) (216.127.66.30)
> by shannonspoetrycafe.com with SMTP; 17 Oct 2007 09:16:39 -0400
> X-Virus-Scanned: amavisd-new at jonkmans.com
> Received: from ev2.jonkmans.com ([216.127.66.145])
> by localhost (ev2.jonkmans.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id 3l84oHnZwx6o for
> <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>;
> Wed, 17 Oct 2007 09:16:31 -0400 (EDT)
> Received: from sb03.us.bleedingsnort.com (sb03 [64.34.174.14])
> by ev2.jonkmans.com (Postfix) with ESMTP id 799D1B85C
> for <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>; Wed, 17 Oct 2007
> 09:16:31 -0400 (EDT)
> Received: by sb03.us.bleedingsnort.com (Postfix)
> id 4149522C0B0; Wed, 17 Oct 2007 13:15:19 +0000 (UTC)
> Delivered-To:
> mjonkman-GMBYjVXE36tbAHWkUhLBKZ3/GSFWQ0ZOAL8bYrjMMd8@xxxxxxxxxxxxxxxx
> Received: by sb03.us.bleedingsnort.com (Postfix, from userid 65534)
> id 10C3D22C0B1; Wed, 17 Oct 2007 13:15:18 +0000 (UTC)
> Received: from sb03.us.bleedingsnort.com (localhost [127.0.0.1])
> by sb03.us.bleedingsnort.com (Postfix) with ESMTP id 4582C22C09C;
> Wed, 17 Oct 2007 13:13:38 +0000 (UTC)
> X-Original-To: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Delivered-To: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Received: by sb03.us.bleedingsnort.com (Postfix, from userid 65534)
> id 264FC22C0AA; Wed, 17 Oct 2007 13:13:18 +0000 (UTC)
> Received: from wr-out-0506.google.com (wr-out-0506.google.com
> [64.233.184.234])
> by sb03.us.bleedingsnort.com (Postfix) with ESMTP id 4F25722C09A
> for <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>;
> Wed, 17 Oct 2007 13:12:46 +0000 (UTC)
> Received: by wr-out-0506.google.com with SMTP id l58so1321594wrl
> for <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>;
> Wed, 17 Oct 2007 06:11:45 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta;
>
> h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
> bh=7BLiyc+GvjIyHGL1ulmvFZmRFtU81vmBIAUIh2F35Pk=;
>
> b=l5x2OvmBg8NYPOY+AmfbjbhDYdIZG/KMP9CqO4AgM+BfJlFUY66x1S/xKNwAugkOEhrl7F+9Vi8FbW/u2Q2kUsyDTNA+riIRZ9ZWKCRXCptIHlid6GAz64qKjrLjClqCvKiLVNTDp4dlYpmwLdfc6svu3SkE5hl4zlQ1Hp66DQE=
> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
>
> h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
>
> b=A6gNGgW614dVraMVlZZOOeeeu/p8aw/pp8c8o7k3NRIOhfBFXFYw8081TjBOtXsq80lFkycLcL8Y93raRc7biDWQyV+U23VbEefOdbJchsvUsfbkg9KWWCqZDbxnYXW6jmXxWrPd4DtXbcfpUbqZfi8KiYKw5fqFvjeAyeb3rEk=
> Received: by 10.114.52.1 with SMTP id z1mr2312578waz.1192626704539;
> Wed, 17 Oct 2007 06:11:44 -0700 (PDT)
> Received: by 10.115.108.6 with HTTP; Wed, 17 Oct 2007 06:11:44 -0700 (PDT)
> Message-ID:
> <78b16a340710170611u41c9e4b9h890e95c1a363bf6-JsoAwUIsXosN+BqQ9rBEUg@xxxxxxxxxxxxxxxx>
> Date: Wed, 17 Oct 2007 09:11:44 -0400
> From: dajackman <robby.lists-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx>
> To: "Bleeding Sigs"
> <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> Subject: Re: [Bleeding-sigs] Storm TCP Sigs
> In-Reply-To:
> <c13e433a0710161906q3d37c5fbgfef2112932f75de1-JsoAwUIsXosN+BqQ9rBEUg@xxxxxxxxxxxxxxxx>
> MIME-Version: 1.0
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> References:
> <4713F311.6090404-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> <471532D4.5080001-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx>
> <471559B9.4040000-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>
>
> <c13e433a0710161906q3d37c5fbgfef2112932f75de1-JsoAwUIsXosN+BqQ9rBEUg@xxxxxxxxxxxxxxxx>
> X-BeenThere: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> X-Mailman-Version: 2.1.5
> Precedence: list
> Reply-To: Bleeding Sigs
> <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> List-Id: Bleeding Sigs <bleeding-sigs.bleedingthreats.net>
> List-Unsubscribe:
> <http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs>,
>
> <mailto:bleeding-sigs-request-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx?subject=unsubscribe>
> List-Archive: <http://lists.bleedingthreats.net/pipermail/bleeding-sigs>
> List-Post:
> <mailto:bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> List-Help:
> <mailto:bleeding-sigs-request-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx?subject=help>
> List-Subscribe:
> <http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs>,
>
> <mailto:bleeding-sigs-request-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx?subject=subscribe>
> Sender:
> bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Errors-To:
> bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>
> I got a few hits on a user logging into accuweather.com's premium service....
>
> Kinda ironic :)
>
> I'll leave 'em enabled for now and see what else I get.
>
> Dajackman
>
> On 10/16/07, Will Metcalf
> <william.metcalf-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote:
>> It's ok Jonkman we've got it from here..... ;-)
>>
>> http://www.hollywoodblog.globolog.com.br/airplane2.jpg
>>
>> Regards,
>>
>> Will
>>
>> On 10/16/07, Matt Jonkman <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>
>> wrote:
>>> I would agree. I'm traveling so can't look into it at the moment, but
>>> I'll disable the sigs for now.
>>>
>>> Matt
>>>
>>> Russell Fulton wrote:
>>>> Ouch!!!
>>>>
>>>> Time Window for this screen:* **Tue Oct 16 14:13:32 2007 * to * Tue Oct
>>>> 16 14:51:49 2007*
>>>>
>>>>
>>>> Signature Total Events IP Srcs IP Dsts Sensor
>>>> Latest Timestamp
>>>> BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp
>>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none>
>>>> 8967
>>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none>
>>>> 681
>>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipdst=distinct&groupby=ip>
>>>> 214
>>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipsrc=distinct&groupby=ip>
>>>> 1
>>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=sensor>
>>>> 2007-10-17 10:46:37
>>>>
>>>>
>>>> I don't think I have that many undiscovered storm worms on campus!
>>>>
>>>> My guess is that Skype is triggering this.
>>>>
>>>> Russell
>>>>
>>>>
>>>> Matt Jonkman wrote:
>>>>> This new variant of Storm is using a short TCP connection for direct
>>>>> commands apparently. Reverse engineered by Joe Stewart at Secureworks.
>>>>> It's in essence 4bytes up from the drone, 4bytes back to setup and
>>>>> authenticate eachother.
>>>>>
>>>>> These sigs will catch that setup. I can't imagine many situations where
>>>>> these would false, but it is possible. Please report any issues.
>>>>>
>>>>> alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
>>>>> (msg:"BLEEDING-EDGE TROJAN Storm Making initial outbound connection";
>>>>> flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4;
>>>>> classtype:trojan-activity; flowb
>>>>> its:noalert; flowbits:set,BE.stormtcp.init;
>>>>> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm;
>>>>> sid:2007640; rev;1;)
>>>>>
>>>>> alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
>>>>> (msg:"BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp";
>>>>> flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4;
>>>>> classtype:trojan-activity;
>>>>> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm;
>>>>> sid:2007641; rev:1;)
>>>>>
>>>>>
>>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Bleeding-sigs mailing list
>>>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>>>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>> --
>>> --------------------------------------------
>>> Matthew Jonkman
>>> Bleeding Edge Threats
>>> US Phone 765-429-0398
>>> US Fax 312-264-0205
>>> AUS Phone 61-42-4157-491
>>> AUS Fax 61-29-4750-026
>>> http://www.bleedingthreats.net
>>> --------------------------------------------
>>>
>>> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>>>
>>>
>>> _______________________________________________
>>> Bleeding-sigs mailing list
>>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>>
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
> Return-Path: <alerts-66cQCsSjbiZ5V2f3ok820Zowlv4uC7bZ@xxxxxxxxxxxxxxxx>
> Delivered-To: 9-jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx
> Received: (qmail 11822 invoked from network); 17 Oct 2007 23:43:32 -0400
> Received: from bleedingids.com (HELO localhost) (216.127.66.30)
> by bleedingips.com with SMTP; 17 Oct 2007 23:43:32 -0400
> X-Virus-Scanned: amavisd-new at jonkmans.com
> Received: from ev2.jonkmans.com ([216.127.66.145])
> by localhost (ev2.jonkmans.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id ftchxXRyyJbs for
> <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>;
> Wed, 17 Oct 2007 23:43:25 -0400 (EDT)
> Received: from sb03.us.bleedingsnort.com (sb03 [64.34.174.14])
> by ev2.jonkmans.com (Postfix) with ESMTP id 991E4B86C
> for <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>; Wed, 17 Oct 2007
> 23:43:23 -0400 (EDT)
> Received: by sb03.us.bleedingsnort.com (Postfix)
> id 5DCEC22C08A; Thu, 18 Oct 2007 03:42:10 +0000 (UTC)
> Delivered-To:
> mjonkman-GMBYjVXE36tbAHWkUhLBKZ3/GSFWQ0ZOAL8bYrjMMd8@xxxxxxxxxxxxxxxx
> Received: by sb03.us.bleedingsnort.com (Postfix, from userid 65534)
> id 4BF3A22C097; Thu, 18 Oct 2007 03:42:10 +0000 (UTC)
> Received: from alertdistribution.com (alertdistribution.com [161.58.88.9])
> by sb03.us.bleedingsnort.com (Postfix) with ESMTP id B165522C08A
> for <jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>; Thu,
> 18 Oct 2007 03:41:51 +0000 (UTC)
> Received: (from alerts@localhost)
> by alertdistribution.com (8.11.6/patched) id l9I3f0x30089;
> Wed, 17 Oct 2007 23:41:00 -0400
> Date: Wed, 17 Oct 2007 23:41:00 -0400
> From: alerts-o7tR/nIX9VhmiikxqexnEkEOCMrvLtNR@xxxxxxxxxxxxxxxx
> (SecurityTracker Alert Center)
> Subject: Alert - 1018832.0 - Windows Mobile SMS Handler Bug Lets Remote Users
> Obfuscate SMS Message Source Addresses
> To: jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Message-ID:
> <S101707234100JX.4339.1018832-359-Oct172007232507-66cQCsSjbiZ5V2f3ok820Zowlv4uC7bZ@xxxxxxxxxxxxxxxx>
>
> ------------------------------------------------------------------------
> Vulnerability Alert from SecurityTracker
> Oct 18 2007 03:24 (UTC/GMT)
>
> [Target]: Windows DLL (Any)
> [Vendor]: Microsoft
> [Category]: OS (Microsoft)
> [Operating System]: Windows (CE)
> [Fix Available]: No
> [Exploit Included]: No
> [Vendor Confirmed]: Yes
> [Alert Type]: Primary
> [CVE Number]: CVE-2007-5493
>
> ------------------------------------------------------------------------
> Windows Mobile SMS Handler Bug Lets Remote Users Obfuscate SMS Message
> Source Addresses
> ------------------------------------------------------------------------
>
> [Description]:
>
> A vulnerability was reported in Windows Mobile. A remote user can
> obfuscate the SMS source address.
>
> A remote user can send a specially crafted WAP PUSH message to hide
> the sender of the message as received on Windows Mobile 2005.
>
> Ollie Whitehouse of Symantec Vulnerability Research reported this
> vulnerability.
>
>
> [Impact Summary]:
>
> Modification of user information
>
>
> [Impact Text]:
>
> A remote user can obfuscate the SMS source address.
>
>
> [Solution]:
>
> No solution was available at the time of this entry.
>
>
> [Vendor URL]: http://www.microsoft.com/
>
> [Cause]: Access control error
>
> [Reported By]: research-okLH5SSHHyRWk0Htik3J/w@xxxxxxxxxxxxxxxx
>
> [View Full Alert]:
>
> https://secure.securitytracker.com/server/display?2007/Oct/1018832
>
> [Matching Profiles]: This item matches these Active Profile(s) ...
>
> 1) all 2
>
> ------------------------------------------------------------------------
>
> For assistance, contact us at
> help-o7tR/nIX9VhmiikxqexnEkEOCMrvLtNR@xxxxxxxxxxxxxxxx
>
> Alert Tracking Number: S101707234100JX.4339.1018832-359-Oct172007232507
>
> Copyright 2007.
> No redistribution unless permitted by your Customer Agreement.
> See your Customer Agreement for restrictions, disclaimers, and limitations.
>
> ------------------------------------------------------------------------
>
> [End Alert]
>
> Return-Path:
> <jonkman+caf_=jonkman=bleedingthreats.net-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx>
> Delivered-To: 9-jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx
> Received: (qmail 29865 invoked from network); 16 Oct 2007 22:19:35 -0400
> Received: from brookstonchiropractic.com (HELO localhost) (216.127.66.30)
> by spam.jonkmans.com with SMTP; 16 Oct 2007 22:19:35 -0400
> X-Virus-Scanned: amavisd-new at jonkmans.com
> Received: from ev2.jonkmans.com ([216.127.66.145])
> by localhost (ev2.jonkmans.com [127.0.0.1]) (amavisd-new, port 10024)
> with ESMTP id EzBCXhsfVCzn for
> <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>;
> Tue, 16 Oct 2007 22:19:35 -0400 (EDT)
> Received: from sb03.us.bleedingsnort.com (sb03 [64.34.174.14])
> by ev2.jonkmans.com (Postfix) with ESMTP id 2C473B85C
> for <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>; Tue, 16 Oct 2007
> 22:19:35 -0400 (EDT)
> Received: by sb03.us.bleedingsnort.com (Postfix)
> id 32AC722C0C2; Wed, 17 Oct 2007 02:18:24 +0000 (UTC)
> Delivered-To:
> mjonkman-GMBYjVXE36tbAHWkUhLBKZ3/GSFWQ0ZOAL8bYrjMMd8@xxxxxxxxxxxxxxxx
> Received: by sb03.us.bleedingsnort.com (Postfix, from userid 65534)
> id 264C622C0C3; Wed, 17 Oct 2007 02:18:24 +0000 (UTC)
> Received: from wa-out-1112.google.com (wa-out-1112.google.com
> [209.85.146.180])
> by sb03.us.bleedingsnort.com (Postfix) with ESMTP id 327CD22C0C4
> for <jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>; Wed,
> 17 Oct 2007 02:13:39 +0000 (UTC)
> Received: by wa-out-1112.google.com with SMTP id m16so2782158waf
> for <jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>; Tue,
> 16 Oct 2007 19:12:40 -0700 (PDT)
> Received: by 10.114.60.19 with SMTP id i19mr9199623waa.1192587160693;
> Tue, 16 Oct 2007 19:12:40 -0700 (PDT)
> X-Forwarded-To: jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> X-Forwarded-For: jonkman-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx
> jonkman-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Delivered-To: jonkman-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx
> Received: by 10.114.235.16 with SMTP id i16cs502811wah;
> Tue, 16 Oct 2007 19:12:40 -0700 (PDT)
> Received: by 10.90.79.6 with SMTP id c6mr11779551agb.1192587155747;
> Tue, 16 Oct 2007 19:12:35 -0700 (PDT)
> Received: from sb03.us.bleedingsnort.com (sb03.us.bleedingids.com
> [64.34.174.14])
> by mx.google.com with ESMTP id p27si9290521ele.2007.10.16.19.12.14;
> Tue, 16 Oct 2007 19:12:35 -0700 (PDT)
> Received-SPF: neutral (google.com: 64.34.174.14 is neither permitted nor
> denied by best guess record for domain of
> bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx)
> client-ip=64.34.174.14;
> Authentication-Results: mx.google.com; spf=neutral (google.com: 64.34.174.14
> is neither permitted nor denied by best guess record for domain of
> bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx)
> smtp.mail=bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx;
> dkim=neutral (body hash did not verify) header.i=@xxxxxxxxx
> Received: by sb03.us.bleedingsnort.com (Postfix, from userid 65534)
> id 6ECA222C0C5; Wed, 17 Oct 2007 02:13:12 +0000 (UTC)
> Received: from sb03.us.bleedingsnort.com (localhost [127.0.0.1])
> by sb03.us.bleedingsnort.com (Postfix) with ESMTP id 3A42022C0B3;
> Wed, 17 Oct 2007 02:10:10 +0000 (UTC)
> X-Original-To: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Delivered-To: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Received: by sb03.us.bleedingsnort.com (Postfix, from userid 65534)
> id 9F5ED22C0B8; Wed, 17 Oct 2007 02:09:17 +0000 (UTC)
> Received: from wa-out-1112.google.com (wa-out-1112.google.com
> [209.85.146.182])
> by sb03.us.bleedingsnort.com (Postfix) with ESMTP id 9128422C0B2
> for <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>;
> Wed, 17 Oct 2007 02:07:18 +0000 (UTC)
> Received: by wa-out-1112.google.com with SMTP id m16so2780517waf
> for <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>;
> Tue, 16 Oct 2007 19:06:19 -0700 (PDT)
> DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta;
>
> h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
> bh=gpkuGAp2oySWZsMHL8F7kHSc8mAk6DkUWIKbZwcTRG0=;
>
> b=ZkijPe8++fCD550QWsvNQ47y64bK2ziQ4SG6dnHKh59sIc9WAcDrrP1bjW3vRxDgz3RYuam0iyBiVVubP/9lqpo0Q5Kq0tXU5CM7Od1fRtvrHOCKxSsr3SEsFJ5B7GvGN8pkcUjpv2mCqHZy4aAjWm2SfrTUFZnGMe+hqe6qC1U=
> DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta;
>
> h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
>
> b=T3zK66h+pY5jFbHVGCjQLz33PxKh6aspjIlJ1xlnwsTnT0WdwFwGTyHj95Vd6id7cPEoPRUcFA7GrTeQUdZY+39v1UsKhPJcYEpDzf3Pv/M0MzZR5ibW8+Gd7Du79a7G+16VPJQMrWSqyYJG2/orUURdZp5uV6/VT4teN3/LjFQ=
> Received: by 10.114.153.18 with SMTP id a18mr9213247wae.1192586777196;
> Tue, 16 Oct 2007 19:06:17 -0700 (PDT)
> Received: by 10.115.59.11 with HTTP; Tue, 16 Oct 2007 19:06:17 -0700 (PDT)
> Message-ID:
> <c13e433a0710161906q3d37c5fbgfef2112932f75de1-JsoAwUIsXosN+BqQ9rBEUg@xxxxxxxxxxxxxxxx>
> Date: Tue, 16 Oct 2007 21:06:17 -0500
> From: "Will Metcalf" <william.metcalf-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx>
> To: "Bleeding Sigs"
> <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> Subject: Re: [Bleeding-sigs] Storm TCP Sigs
> In-Reply-To: <471559B9.4040000-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>
> MIME-Version: 1.0
> Content-Type: text/plain; charset=ISO-8859-1
> Content-Transfer-Encoding: 7bit
> Content-Disposition: inline
> References:
> <4713F311.6090404-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> <471532D4.5080001-1/NbpDiVQt6SYBAHRPvY1A@xxxxxxxxxxxxxxxx>
> <471559B9.4040000-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>
> X-BeenThere: bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> X-Mailman-Version: 2.1.5
> Precedence: list
> Reply-To: Bleeding Sigs
> <bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> List-Id: Bleeding Sigs <bleeding-sigs.bleedingthreats.net>
> List-Unsubscribe:
> <http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs>,
>
> <mailto:bleeding-sigs-request-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx?subject=unsubscribe>
> List-Archive: <http://lists.bleedingthreats.net/pipermail/bleeding-sigs>
> List-Post:
> <mailto:bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx>
> List-Help:
> <mailto:bleeding-sigs-request-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx?subject=help>
> List-Subscribe:
> <http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs>,
>
> <mailto:bleeding-sigs-request-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx?subject=subscribe>
> Sender:
> bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> Errors-To:
> bleeding-sigs-bounces-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>
> It's ok Jonkman we've got it from here..... ;-)
>
> http://www.hollywoodblog.globolog.com.br/airplane2.jpg
>
> Regards,
>
> Will
>
> On 10/16/07, Matt Jonkman <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx>
> wrote:
>> I would agree. I'm traveling so can't look into it at the moment, but
>> I'll disable the sigs for now.
>>
>> Matt
>>
>> Russell Fulton wrote:
>>> Ouch!!!
>>>
>>> Time Window for this screen:* **Tue Oct 16 14:13:32 2007 * to * Tue Oct
>>> 16 14:51:49 2007*
>>>
>>>
>>> Signature Total Events IP Srcs IP Dsts Sensor
>>> Latest Timestamp
>>> BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none>
>>> 8967
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none>
>>> 681
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipdst=distinct&groupby=ip>
>>> 214
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipsrc=distinct&groupby=ip>
>>> 1
>>> <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=sensor>
>>> 2007-10-17 10:46:37
>>>
>>>
>>> I don't think I have that many undiscovered storm worms on campus!
>>>
>>> My guess is that Skype is triggering this.
>>>
>>> Russell
>>>
>>>
>>> Matt Jonkman wrote:
>>>> This new variant of Storm is using a short TCP connection for direct
>>>> commands apparently. Reverse engineered by Joe Stewart at Secureworks.
>>>> It's in essence 4bytes up from the drone, 4bytes back to setup and
>>>> authenticate eachother.
>>>>
>>>> These sigs will catch that setup. I can't imagine many situations where
>>>> these would false, but it is possible. Please report any issues.
>>>>
>>>> alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535
>>>> (msg:"BLEEDING-EDGE TROJAN Storm Making initial outbound connection";
>>>> flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4;
>>>> classtype:trojan-activity; flowb
>>>> its:noalert; flowbits:set,BE.stormtcp.init;
>>>> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm;
>>>> sid:2007640; rev;1;)
>>>>
>>>> alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535
>>>> (msg:"BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp";
>>>> flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4;
>>>> classtype:trojan-activity;
>>>> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm;
>>>> sid:2007641; rev:1;)
>>>>
>>>>
>>>>
>>> ------------------------------------------------------------------------
>>>
>>> _______________________________________________
>>> Bleeding-sigs mailing list
>>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>> --
>> --------------------------------------------
>> Matthew Jonkman
>> Bleeding Edge Threats
>> US Phone 765-429-0398
>> US Fax 312-264-0205
>> AUS Phone 61-42-4157-491
>> AUS Fax 61-29-4750-026
>> http://www.bleedingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.bleedingthreats.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Bleeding-sigs mailing list
>> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
>> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
>>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs

--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthreats.net
--------------------------------------------

PGP: http://www.bleedingthreats.com/mattjonkman.asc


Was this page helpful?
Yes No
Thread at a glance:

Previous Message by Date: click to view message preview

Re: Storm TCP Sigs

I got a few hits on a user logging into accuweather.com's premium service.... Kinda ironic :) I'll leave 'em enabled for now and see what else I get. Dajackman On 10/16/07, Will Metcalf <william.metcalf-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote: > It's ok Jonkman we've got it from here..... ;-) > > http://www.hollywoodblog.globolog.com.br/airplane2.jpg > > Regards, > > Will > > On 10/16/07, Matt Jonkman <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx> > wrote: > > I would agree. I'm traveling so can't look into it at the moment, but > > I'll disable the sigs for now. > > > > Matt > > > > Russell Fulton wrote: > > > Ouch!!! > > > > > > Time Window for this screen:* **Tue Oct 16 14:13:32 2007 * to * Tue Oct > > > 16 14:51:49 2007* > > > > > > > > > Signature Total Events IP Srcs IP Dsts Sensor > > > Latest Timestamp > > > BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none> > > > 8967 > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none> > > > 681 > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipdst=distinct&groupby=ip> > > > 214 > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipsrc=distinct&groupby=ip> > > > 1 > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=sensor> > > > 2007-10-17 10:46:37 > > > > > > > > > I don't think I have that many undiscovered storm worms on campus! > > > > > > My guess is that Skype is triggering this. > > > > > > Russell > > > > > > > > > Matt Jonkman wrote: > > >> This new variant of Storm is using a short TCP connection for direct > > >> commands apparently. Reverse engineered by Joe Stewart at Secureworks. > > >> It's in essence 4bytes up from the drone, 4bytes back to setup and > > >> authenticate eachother. > > >> > > >> These sigs will catch that setup. I can't imagine many situations where > > >> these would false, but it is possible. Please report any issues. > > >> > > >> alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 > > >> (msg:"BLEEDING-EDGE TROJAN Storm Making initial outbound connection"; > > >> flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; > > >> classtype:trojan-activity; flowb > > >> its:noalert; flowbits:set,BE.stormtcp.init; > > >> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm; > > >> sid:2007640; rev;1;) > > >> > > >> alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 > > >> (msg:"BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp"; > > >> flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; > > >> classtype:trojan-activity; > > >> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm; > > >> sid:2007641; rev:1;) > > >> > > >> > > >> > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Bleeding-sigs mailing list > > > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > > > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Bleeding Edge Threats > > US Phone 765-429-0398 > > US Fax 312-264-0205 > > AUS Phone 61-42-4157-491 > > AUS Fax 61-29-4750-026 > > http://www.bleedingthreats.net > > -------------------------------------------- > > > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > > > > _______________________________________________ > > Bleeding-sigs mailing list > > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >

Next Message by Date: click to view message preview

Re: Agent Alt hits - Followup

Can you share a packet? Jack Pepper wrote: > Quoting Jack Pepper > <pepperjack-MpKn7LJJCHSju1H+chf1WFaTQe2KTcn/@public.gmane.org>: > >> >> The rule for 2007591 is hitting lots of malware check-ins, and they >> look like good hits. > > The hits do not look like Agent.Alt infections. They appear to be > counters for the Revenue Science BHO application. > > Are other people seeing these? I am seeing these at all of my sites, in > some cases thousands of them. > > jp > > > ---------------------------------------------------------------- > @fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentsecurity.com > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc

Previous Message by Thread: click to view message preview

Re: Storm TCP Sigs

I got a few hits on a user logging into accuweather.com's premium service.... Kinda ironic :) I'll leave 'em enabled for now and see what else I get. Dajackman On 10/16/07, Will Metcalf <william.metcalf-Re5JQEeQqe8AvxtiuMwx3w@xxxxxxxxxxxxxxxx> wrote: > It's ok Jonkman we've got it from here..... ;-) > > http://www.hollywoodblog.globolog.com.br/airplane2.jpg > > Regards, > > Will > > On 10/16/07, Matt Jonkman <jonkman-eqVdsuqBafFWk0Htik3J/w@xxxxxxxxxxxxxxxx> > wrote: > > I would agree. I'm traveling so can't look into it at the moment, but > > I'll disable the sigs for now. > > > > Matt > > > > Russell Fulton wrote: > > > Ouch!!! > > > > > > Time Window for this screen:* **Tue Oct 16 14:13:32 2007 * to * Tue Oct > > > 16 14:51:49 2007* > > > > > > > > > Signature Total Events IP Srcs IP Dsts Sensor > > > Latest Timestamp > > > BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none> > > > 8967 > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=none> > > > 681 > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipdst=distinct&groupby=ip> > > > 214 > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&ipsrc=distinct&groupby=ip> > > > 1 > > > <https://ruru.insec/placid/summary.py?%20&timebefore=86400%20&signame=BLEEDING-EDGE%20TROJAN%20Storm%20Controller%20Response%20to%20Drone%20via%20tcp&groupby=sensor> > > > 2007-10-17 10:46:37 > > > > > > > > > I don't think I have that many undiscovered storm worms on campus! > > > > > > My guess is that Skype is triggering this. > > > > > > Russell > > > > > > > > > Matt Jonkman wrote: > > >> This new variant of Storm is using a short TCP connection for direct > > >> commands apparently. Reverse engineered by Joe Stewart at Secureworks. > > >> It's in essence 4bytes up from the drone, 4bytes back to setup and > > >> authenticate eachother. > > >> > > >> These sigs will catch that setup. I can't imagine many situations where > > >> these would false, but it is possible. Please report any issues. > > >> > > >> alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 > > >> (msg:"BLEEDING-EDGE TROJAN Storm Making initial outbound connection"; > > >> flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; > > >> classtype:trojan-activity; flowb > > >> its:noalert; flowbits:set,BE.stormtcp.init; > > >> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm; > > >> sid:2007640; rev;1;) > > >> > > >> alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 > > >> (msg:"BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp"; > > >> flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; > > >> classtype:trojan-activity; > > >> reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm; > > >> sid:2007641; rev:1;) > > >> > > >> > > >> > > > > > > ------------------------------------------------------------------------ > > > > > > _______________________________________________ > > > Bleeding-sigs mailing list > > > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > > > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Bleeding Edge Threats > > US Phone 765-429-0398 > > US Fax 312-264-0205 > > AUS Phone 61-42-4157-491 > > AUS Fax 61-29-4750-026 > > http://www.bleedingthreats.net > > -------------------------------------------- > > > > PGP: http://www.bleedingthreats.com/mattjonkman.asc > > > > > > _______________________________________________ > > Bleeding-sigs mailing list > > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigs-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt@xxxxxxxxxxxxxxxx > http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs >

Next Message by Thread: click to view message preview

Agent Alt hits

The wiki on http://doc.bleedingthreats.net/bin/view/Main/Win32AgentALT has links to four rules, but the links all point to the same location. I didn't want to just start editing it in case it was like that for a reason. The wiki also mentions flowbits on the rules, but I don't see any flowbits in the actual rule definitions. Is this an oversight or is it just a design item that turned out to be unnecessary? The rule for 2007591 is hitting lots of malware check-ins, and they look like good hits. Nice hits. jp ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com
Sign up for updates to this mailing list. email:
Loading Comments...
Home | News | Patents | Sitemap | FAQ | advertise

Advertising by