cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
804
Views
5
Helpful
9
Replies

signature for blackworm

roxanne.tsui
Level 1
Level 1

Hi, do we have a signature for the blackworm, or instructions for creating a custom signature to detect it. (http://isc.sans.org/blackworm)

Thanks.

9 Replies 9

jdal
Cisco Employee
Cisco Employee

Even if this has particularly caught the media attention, this is another of those mass-mailer worms. As you may know, for this kind of threat we are relying on our partnership with TrendMicro to decide if and when to write a signature.

So far this threat is still rated as "low" on their website. We don't currently plan to release a signature for this untill their rating has been increased to medium or high.

In the meantime you can use the following custom signature to catch WORM_GREW.A also known as W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife, Win32/Blackmal.F:

Engine: String.TCP

Service Port: 25

Regex String :

\x6d\x41\x70\x4d\x6a\x74\x64\x4e\x45\x51\x78\x4a\x7a\x49\x6a\x53\x79\x46\x49\x4f\x44\x30\x4e\x43\x6b\x31\x4b\x57\x6c\x51\x70\x4e

Other vensors have already produced the signatures for Blackworm (Nyxem.E, Blackmal.E, MyWife, Tearec).

Do Cisco have an update as Feb 3 is the troublesome date?

Simone.

See the first reply for a custom signature. It is official, from Cisco.

I understand Trend Micro has decided this is a low threat; however others have rated this at a medium. While I understand the partnership with TM I do not understand leaving your customers without adequate IDS coverage for something that is apparently more of threat to them.

The custom signature that you posted here does okay for an SMTP based variant but once this particular worm gets in it will look for open shares. What we need is a way to detect this. From what I saw from Snort it did not look like that was available but instead there were ways to detect the worm trying hit the web site with a counter, possibly showing a machine that is infected, or possible just showing firewall logs.

What would be nice is to not have to worry about the worm because Cisco provided a quality signature and blocked the worm as soon as it sees it. I can create my own custom signatures but when you have customers asking for this and they have paid Cisco for a product plus they are paying support, I do not understand why Cisco will not deliver. Can you explain this other than that is Cisco's answer?

This is just my opinion but as a customer it also affects my decision to remain a customer.

my .02

Please advise how to create a signature (service.http engine?) that would trigger if it finds regex pattern A in an HTTP request which does not contain the pattern B?

Thanks.

The Cisco IDS/IPS sensors are not an antivirus solution. That being said, because of typical sensor placement, we see the usefulness of the sensor to provide some sort of mitigation in certain instances. For one, we partner with Trend Micro and when there is virus/worm outbreak that is elevated to medium or high, we will package a signature for that worm onto the sensor and release that update - so far, everytime this has happened, the update has been available on CCO in under 8 hours from Trend's initial elevation.

Our goal is to write vulnerability based signatures. Numerous worms/virus spread via the same vulnerability, we catch the attempted exploit of that vulnerability, you stop the worm from spreading. So something like sigID 3338 - LSASS RPC overflow - Sasser, Korgo, RXBot all try to exploit this. Why write signatures for the individual worms when the one that we have stops then all from spreading.

As to BlackWorm, Trend has not elevated this to a medium/high risk outbreak (Trends rating of this is not what we ultimately base our decision on). We currenty don't see this is severe enough to release a signature for. However, there has been a fair amount of interest in it, as such, we've decided to provide a custom signature for those who want it. Based on where most sensors are placed, the smtp based signature provides the best coverage.

Where is the custom signature?

Is it the regex string posted in the previous posting? Do you have more insight on how to create it, what engine etc.?

wsulym
Cisco Employee
Cisco Employee

It is the regex posted. The engine is listed along with the regex, but to clarify, it's in "string.tcp" and *to* port 25.

Just to add fuel to this discussion, the 4200 brochure says, it will provide protection against network viruses, what does that mean ;-)

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: