topic Signatures related to confickr worm in Network Security

Signatures related to confickr worm

johnny_utah — Sun, 10 Mar 2019 11:33:14 GMT

Can someone please tell me if there has been a signature generated for the confickr worm and if not, what current signature or set of signatures I might want to key off when looking for this worm?

Re: Signatures related to confickr worm

wsulym — Wed, 18 Mar 2009 13:19:31 GMT

Try this. Go here:

http://tools.cisco.com/security/center/home.x

Type "conficker" into the search box up top...

You get here:

http://tools.cisco.com/security/center/viewAlert.x?alertId=17121

Scroll way down to the linked signature section and you'll see:

7280-0, 7280-1 - these two are signatures that trigger on the smb vulnerability.

13491-0, 13492-0 - these two are meta signatures that make use of existing sigs 5602-0 5605-0 5589-0 to localize infected machines brute forcing their way about. Note that 5602, 5605, and 5589 need to be enabled for the meta signatures to fire.

Re: Signatures related to confickr worm

a.goldsmith — Tue, 31 Mar 2009 05:53:13 GMT

Is there any way we can use our NAMS to any effect to detect infected hosts?

Re: Signatures related to confickr worm

michael.d.brown — Thu, 02 Apr 2009 15:40:53 GMT

FYI, 5 new IPS signatures were released yesterday all on the intellishield alert.

16293/0 Conficker Worm Shellcode S389 04/01/2009

16293/1 Conficker Worm Shellcode S389 04/01/2009

16293/2 Conficker Worm Shellcode S389 04/01/2009

16296/0 Potential Conficker Command And Control Request S389 04/01/2009

16297/0 Worm Activity - Brute Force S389 04/01/2009

Re: Signatures related to confickr worm

SludnevTN_2 — Sun, 26 Jul 2009 08:15:32 GMT

John. Have you found the way to defeat confliker using IOS IPS?

I do not understand why manually UNretired/enabled:

7280/0 Windows Server Service Remote Code Execution S36711/11/2008

7280/1 Windows Server Service Remote Code Execution S36711/11/2008

16293/0 Conficker Worm Shellcode S389 04/01/2009

16293/1 Conficker Worm Shellcode S389 04/01/2009

16296/0 Potential Conficker Command And Control Request S395 04/16/2009

are not triggered in 2 different nets with almost all infected hosts. What I have only noticed a lot of these messages

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:5601 Subsig:1 Sev:100 Windows LSASS RPC Overflow [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:85

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:6946 Subsig:0 Sev:100 Web Client Remote Code Execution Vulnerability [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:90

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:7280 Subsig:0 Sev:100 Windows Server Service Remote Code Execution [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:90

*Jul 25 06:13:23.095: %IPS-4-SIGNATURE: Sig:5600 Subsig:0 Sev:100 Windows ASN.1 Bit String NTLMv2 Integer Overflow [192.168.109.27:1766 -> 192.168.100.118:445] VRF:NONE RiskRating:75

*Jul 25 06:22:47.175: %IPS-4-SIGNATURE: Sig:6764 Subsig:1 Sev:75 Cisco PIX and ASA Time-to-Live DoS [192.168.254.2:0 -> 224.0.0.5:0] VRF:NONE RiskRating:56

*Jul 25 07:15:49.927: %IPS-4-SIGNATURE: Sig:5600 Subsig:0 Sev:100 Windows ASN.1 Bit String NTLMv2 Integer Overflow [192.168.100.93:4658 -> 192.168.103.1:139] VRF:NONE RiskRating:75

But only in during 30 sec. while the signatures are being compiled.

Please help.