01-25-2006 08:40 AM - edited 03-10-2019 01:51 AM
Hi, do we have a signature for the blackworm, or instructions for creating a custom signature to detect it. (http://isc.sans.org/blackworm)
Thanks.
01-25-2006 04:47 PM
Even if this has particularly caught the media attention, this is another of those mass-mailer worms. As you may know, for this kind of threat we are relying on our partnership with TrendMicro to decide if and when to write a signature.
So far this threat is still rated as "low" on their website. We don't currently plan to release a signature for this untill their rating has been increased to medium or high.
In the meantime you can use the following custom signature to catch WORM_GREW.A also known as W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife, Win32/Blackmal.F:
Engine: String.TCP
Service Port: 25
Regex String :
\x6d\x41\x70\x4d\x6a\x74\x64\x4e\x45\x51\x78\x4a\x7a\x49\x6a\x53\x79\x46\x49\x4f\x44\x30\x4e\x43\x6b\x31\x4b\x57\x6c\x51\x70\x4e
01-27-2006 09:38 AM
Other vensors have already produced the signatures for Blackworm (Nyxem.E, Blackmal.E, MyWife, Tearec).
Do Cisco have an update as Feb 3 is the troublesome date?
Simone.
01-27-2006 01:42 PM
See the first reply for a custom signature. It is official, from Cisco.
01-27-2006 02:40 PM
I understand Trend Micro has decided this is a low threat; however others have rated this at a medium. While I understand the partnership with TM I do not understand leaving your customers without adequate IDS coverage for something that is apparently more of threat to them.
The custom signature that you posted here does okay for an SMTP based variant but once this particular worm gets in it will look for open shares. What we need is a way to detect this. From what I saw from Snort it did not look like that was available but instead there were ways to detect the worm trying hit the web site with a counter, possibly showing a machine that is infected, or possible just showing firewall logs.
What would be nice is to not have to worry about the worm because Cisco provided a quality signature and blocked the worm as soon as it sees it. I can create my own custom signatures but when you have customers asking for this and they have paid Cisco for a product plus they are paying support, I do not understand why Cisco will not deliver. Can you explain this other than that is Cisco's answer?
This is just my opinion but as a customer it also affects my decision to remain a customer.
my .02
01-29-2006 05:43 AM
Please advise how to create a signature (service.http engine?) that would trigger if it finds regex pattern A in an HTTP request which does not contain the pattern B?
Thanks.
01-30-2006 06:04 AM
The Cisco IDS/IPS sensors are not an antivirus solution. That being said, because of typical sensor placement, we see the usefulness of the sensor to provide some sort of mitigation in certain instances. For one, we partner with Trend Micro and when there is virus/worm outbreak that is elevated to medium or high, we will package a signature for that worm onto the sensor and release that update - so far, everytime this has happened, the update has been available on CCO in under 8 hours from Trend's initial elevation.
Our goal is to write vulnerability based signatures. Numerous worms/virus spread via the same vulnerability, we catch the attempted exploit of that vulnerability, you stop the worm from spreading. So something like sigID 3338 - LSASS RPC overflow - Sasser, Korgo, RXBot all try to exploit this. Why write signatures for the individual worms when the one that we have stops then all from spreading.
As to BlackWorm, Trend has not elevated this to a medium/high risk outbreak (Trends rating of this is not what we ultimately base our decision on). We currenty don't see this is severe enough to release a signature for. However, there has been a fair amount of interest in it, as such, we've decided to provide a custom signature for those who want it. Based on where most sensors are placed, the smtp based signature provides the best coverage.
02-09-2006 08:47 AM
Where is the custom signature?
Is it the regex string posted in the previous posting? Do you have more insight on how to create it, what engine etc.?
02-09-2006 11:29 AM
It is the regex posted. The engine is listed along with the regex, but to clarify, it's in "string.tcp" and *to* port 25.
05-29-2006 01:30 AM
Just to add fuel to this discussion, the 4200 brochure says, it will provide protection against network viruses, what does that mean ;-)
http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: