Storm Worm

Update 3/5/08 New variants appear to be using a new key each execution. More as we pick this apart, but 2007915 and 2007916 are out in the interim -- Correction Not using a new key. The old sigs were looking for the first 4 bytes into the peer id hash, which was static for a long time but is no longer apparently. 2007701 and 2007702 have been adjusted to fit.

Update 2/13/08: Sids 2007701 and 2007702 are very accurate and effective for the encrypted Storm variants most often seen today.

Update 10/16/07: Added sigs for the tcp side c&c channel. The drone after being commanded to makes an outbound tcp connection to another c&c. 4 bytes up, 4 bytes back, authentication. Then commands can be streamed zlib compressed. Joe Stewart has more info on this in his blog.

We've published sigs 2007640 and 2007641 to detect this. Please report issues.

NOTE: 2007640 and 2007641 were a failure, they are no longer in the ruleset. Too many false positives on Skype traffic to be useful.


Update 10/15/07: Storm is now encrypting udp traffic, 40 bit key XOR'd. discovered by Joe Stewart at Secureworks.

Added sigs to detect the constant length packets for search by md5 and ack, 25 and 2 bytes respectively.

The existing edonkey sigs worked for the older variants. Any variants that use this method will only be detected by 2007634, 2007635, 2007636, and 2007637 for now. Please test these and report.

Note Joe's original analysis: http://www.secureworks.com/research/threats/storm-worm/


The rules for the Storm C&C servers and major nodes have been folded into the CompromisedHosts List. The same data, but combined to the single list for brevity.

Original lists were in the 2500-3000 rule range, which ended up being a significant Snort load. We're keeping this ruleset under 1000 and things seem to be fine in most cases. But use caution if applying the entire ruleset to an already loaded sensor.

http://www.emergingthreats.net/rules/bleeding-compromised.rules

http://www.emergingthreats.net/rules/bleeding-compromised-BLOCK.rules

These are updated frequently.

-- MattJonkman - 19 Aug 2007

Topic revision: r7 - 2008-03-05 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats