mailing list archives
Re: Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Wed, 25 Jan 2006 04:39:58 -0500
Gadi Evron wrote:
This is an urgent alert released by the cooperative efforts of the MWP /
DA groups that also worked on the hurricane Rita scams. This task force is
now known as the TISF BlackWorm task force.
This task force involves many in the security (anti spam, CERTs, anti
virus, academia, ISP's, etc.) community and industry, working together to
combat threats to the security of the Internet in cooperation with law enforcement globally.
Thanks for the info, Gadi. I've been a bit behind and this is the first
I'd hear of Blackworm.
alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)
alert tcp any any -> any 80 (msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
classtype:misc-activity; sid:1000377; rev:1;)
Thanks, Joe! Checked my IDS and it had already updated itself and had
these signatures. I put together a small swatch config file to watch
syslog (snort logs to MySQL and syslog) for these alerts. Very useful
for me since I'll actually be in the office for only two of the next 14
days. Details are at http://www.jeremygaddis.com/ if anyone's interested.
Jeremy L. Gaddis, GCWN, Linux+, Network+
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/