EmergingThreats> Main Web>StormWorm (revision 3)EditAttach

Storm Worm

Update 10/15/07: Storm is now encrypting udp traffic, 40 bit key XOR'd. discovered by Joe Stewart at Secureworks.

Added sigs to detect the constant length packets for search by md5 and ack, 25 and 2 bytes respectively.

The existing edonkey sigs worked for the older variants. Any variants that use this method will only be detected by 2007634, 2007635, 2007636, and 2007637 for now. Please test these and report.

Note Joe's original analysis: http://www.secureworks.com/research/threats/storm-worm/


The rules for the Storm C&C servers and major nodes have been folded into the CompromisedHosts List. The same data, but combined to the single list for brevity.

Original lists were in the 2500-3000 rule range, which ended up being a significant Snort load. We're keeping this ruleset under 1000 and things seem to be fine in most cases. But use caution if applying the entire ruleset to an already loaded sensor.

http://www.bleedingthreats.net/rules/bleeding-compromised.rules

http://www.bleedingthreats.net/rules/bleeding-compromised-BLOCK.rules

These are updated frequently.

-- MattJonkman - 19 Aug 2007

Edit | Attach | Print version | History: r7 | r5 < r4 < r3 < r2 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 2007-10-15 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats