Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
5
Replies

W32.BugBear sigs

brok3n
Level 1
Level 1

‎10-02-2002 11:16 AM - edited ‎03-09-2019 12:32 AM

Anyone have any sigs or network dumps of the bugbear worm/its traffic thats going around now?

-brkn!

Labels:
0 Helpful
5 Replies 5

IDSMC.Guy
Level 1
Level 1

‎10-04-2002 06:51 AM

Did you get any responses? I'd like to have them if you did. I'm thinking SANS, EEYE, or CERT may have them available.

D.

0 Helpful

8rpalmer
Level 1
Level 1
In response to IDSMC.Guy

‎10-14-2002 07:54 AM

I submitted a TAC Case on this issue and was told by the engineer that contacted me that Cisco has no plans to add a specific signature to capture the BugBear virus. Three days later they released Signature Update 3.1(3)S33. Below is a description of the signature in question from the Cisco Alert.

"Signature 9023 has been added to address the backdoor created by the

W32.Bugbear worm. The signature will fire if a SYN packet is detected destined for TCP port 36794. Any activity on this port may indicate an attacker accessing the Bugbear backdoor. This signature is disabled by default. You can only apply this signature update to IDS-42xx and NRS-xx series Cisco Intrusion Detection System (IDS) sensors. It is not compatible with the WS-X6381-IDS series Intrusion Detection System Module (IDSM). "

Note that this signature is disabled by default (all action codes are set to "0" in packetd.conf), therfore set the action codes to a value higher than 0 and higher than your MinContextLevel to see attempts to access the backdoor port by BugBear.

0 Helpful

mcerha
Level 3
Level 3

‎10-14-2002 07:27 PM

Here is an example signature converted from a proposed Snort signature that supposedly fires on the Bugbear worm. It has not been tested. Nor will it be supported or included in a signature update. It may false positive and cause a performance hit on your sensors.

Also, we did release a signature for the BugBear backdoor port in S33. It was a miscommunication that we would not create a signature for that. However, we do not generally write signatures for email born virues like BugBear itself. We believe that anti-virus is the best solution for mitigating these kinds of problems.

___________________________________________________________________________

Current Signature: Engine ATOMIC.TCP SIGID 20000

SigName: Bugbear Worm

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold = 100

4 - DstPort = 25

5 - FlipAddr =

6 - LimitSummary =

7 * Mask = PSH ACK

8 - MaxInspectLength =

9 - MinHits =

10 - PortRange =

11 - ResetAfterIdle = 15

12 - SigComment =

13 - SigName = Bugbear Worm

14 - SigStringInfo =

15 - SinglePacketRegex =

uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQ

16 - SourcePorts =

17 - SrcPort =

18 * StorageKey = SRC

19 * TcpFlags = PSH ACK

20 - ThrottleInterval = 30

21 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

0 Helpful

mhicks
Level 1
Level 1
In response to mcerha

‎10-15-2002 06:44 AM

I have been looking for the BUGBEAR signature in the S33 Sig update but have not been able to find it. Can you give the SIGID for the BUGBEAR signature?

Thanks

0 Helpful

mcerha
Level 3
Level 3
In response to mhicks

‎10-19-2002 01:10 PM

9023. It is just an alarm that can be turned to warn of possible scanning for or usage of the backdoor left by the Bugbear worm.

0 Helpful
Customers Also Viewed These Support Documents