10-02-2002 11:16 AM - edited 03-09-2019 12:32 AM
Anyone have any sigs or network dumps of the bugbear worm/its traffic thats going around now?
-brkn!
10-04-2002 06:51 AM
Did you get any responses? I'd like to have them if you did. I'm thinking SANS, EEYE, or CERT may have them available.
D.
10-14-2002 07:54 AM
I submitted a TAC Case on this issue and was told by the engineer that contacted me that Cisco has no plans to add a specific signature to capture the BugBear virus. Three days later they released Signature Update 3.1(3)S33. Below is a description of the signature in question from the Cisco Alert.
"Signature 9023 has been added to address the backdoor created by the
W32.Bugbear worm. The signature will fire if a SYN packet is detected destined for TCP port 36794. Any activity on this port may indicate an attacker accessing the Bugbear backdoor. This signature is disabled by default. You can only apply this signature update to IDS-42xx and NRS-xx series Cisco Intrusion Detection System (IDS) sensors. It is not compatible with the WS-X6381-IDS series Intrusion Detection System Module (IDSM). "
Note that this signature is disabled by default (all action codes are set to "0" in packetd.conf), therfore set the action codes to a value higher than 0 and higher than your MinContextLevel to see attempts to access the backdoor port by BugBear.
10-14-2002 07:27 PM
Here is an example signature converted from a proposed Snort signature that supposedly fires on the Bugbear worm. It has not been tested. Nor will it be supported or included in a signature update. It may false positive and cause a performance hit on your sensors.
Also, we did release a signature for the BugBear backdoor port in S33. It was a miscommunication that we would not create a signature for that. However, we do not generally write signatures for email born virues like BugBear itself. We believe that anti-virus is the best solution for mitigating these kinds of problems.
___________________________________________________________________________
Current Signature: Engine ATOMIC.TCP SIGID 20000
SigName: Bugbear Worm
___________________________________________________________________________
0 - Edit ALL Parameters
1 - AlarmInterval =
2 - AlarmThrottle = FireOnce
3 - ChokeThreshold = 100
4 - DstPort = 25
5 - FlipAddr =
6 - LimitSummary =
7 * Mask = PSH ACK
8 - MaxInspectLength =
9 - MinHits =
10 - PortRange =
11 - ResetAfterIdle = 15
12 - SigComment =
13 - SigName = Bugbear Worm
14 - SigStringInfo =
15 - SinglePacketRegex =
uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQ
16 - SourcePorts =
17 - SrcPort =
18 * StorageKey = SRC
19 * TcpFlags = PSH ACK
20 - ThrottleInterval = 30
21 - WantFrag =
d - Delete a value
u - UNDO and continue
x - SAVE and continue
___________________________________________________________________________
10-15-2002 06:44 AM
I have been looking for the BUGBEAR signature in the S33 Sig update but have not been able to find it. Can you give the SIGID for the BUGBEAR signature?
Thanks
10-19-2002 01:10 PM
9023. It is just an alarm that can be turned to warn of possible scanning for or usage of the backdoor left by the Bugbear worm.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide