Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Wed, 25 Jan 2006 04:39:58 -0500

Gadi Evron wrote:
This is an urgent alert released by the cooperative efforts of the MWP /
DA groups that also worked on the hurricane Rita scams. This task force is
now known as the TISF BlackWorm task force.
This task force involves many in the security (anti spam, CERTs, anti
virus, academia, ISP's, etc.) community and industry, working together to
combat threats to the security of the Internet in cooperation with law enforcement globally.

Thanks for the info, Gadi. I've been a bit behind and this is the first I'd hear of Blackworm.

alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)

alert tcp any any -> any 80 (msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
classtype:misc-activity; sid:1000377; rev:1;)

Thanks, Joe! Checked my IDS and it had already updated itself and had these signatures. I put together a small swatch config file to watch syslog (snort logs to MySQL and syslog) for these alerts. Very useful for me since I'll actually be in the office for only two of the next 14 days. Details are at http://www.jeremygaddis.com/ if anyone's interested.


Jeremy L. Gaddis, GCWN, Linux+, Network+
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]