dcom custom signature??

darin.marais · ‎08-13-2003

I have an NIDS that monitors all the traffic to the Internet.

Is there a custom signature that I can apply that will catch all of the internal machines with a possible infection of w32/blaster by looking for http connections to windowsupdate.com?

mcerha · ‎08-13-2003

It would be difficult to write a good signature to catch attempts by a worm connecting to the Microsoft site. It uses DNS to look up the hostname. And these IP's might change over time. Firewalls and routers would probably make a better place to catch this activity than with an IDS. A better signature is catching the attempt by an infected system to download the worm payload via TFTP. It is reported that a newly infected host will attempt to download the worm payload from the host that infected it. Here is a custom signature for that.

Engine STRING.UDP

SigName MS Blast Worm TFTP Request

ServicePorts 69

RegexString \x00\x01[Mm][Ss][Bb][Ll][Aa][Ss][Tt][.][Ee][Xx][Ee]\x00

Direction ToService

d.twaddle · ‎08-15-2003

Here are a few more custom signatures, including the one posted above, to detect variants.

Engine STRING.UDP

SigName MS Blast Worm TFTP Request

ServicePorts 69

RegexString \x00\x01[Mm][Ss][Bb][Ll][Aa][Ss][Tt][.][Ee][Xx][Ee]\x00

Direction ToService

Engine STRING.UDP

SigName MS Blast Worm B TFTP Request penis32.exe

ServicePorts 69

RegexString \x00\x01[Pp][Ee][Nn][Ii][Ss][3][2][.][Ee][Xx][Ee]\x00

Direction ToService

Engine STRING.UDP

SigName MS Blast Worm C TFTP Request teekids.exe

ServicePorts 69

RegexString \x00\x01[Tt][Ee][Ee][Kk][Ii][Dd][Ss][.][Ee][Xx][Ee]\x00

Direction ToService

Engine STRING.UDP

SigName MS Blast Worm TFTP Request smsx.exe

ServicePorts 69

RegexString \x00\x01[Ss][Mm][Ss][Xx][.][Ee][Xx][Ee]\x00

Direction ToService