Here's a suggested update for the 'BACKDOOR NetMetro File List' signature,
which lists a possible false positive that I've just observed.
John McCash
GEN:SID 1:159
Message BACKDOOR NetMetro File List
Rule alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro
File List"; flow:to_server,established; content:"--"; reference:arachnids,79;
classtype:misc-activity; sid:159; rev:6;)
Summary This event is generated when an attempt is made to list files
on a host infected with the NetMetro Trojan Horse.
Impact Limited control of the target host.
Detailed Information Due to the nature of this Trojan it is unlikely that
the attacker's client IP address has been spoofed.
The server portion opens TCP port 5031 by default to establish a connection
between client and server.
Affected Systems Windows 95
Windows 98
Windows ME
Windows NT
Windows 2000
Attack Scenarios This Trojan may be delivered to the target in a number
of ways. This event is indicative of an existing infection being activated.
Initial compromise can be in the form of a Win32 installation program that may
use the extension ".jpg" or ".bmp" when delivered via e-mail for example.
Ease of Attack This is Trojan activity, the target machine may already be
compromised. Updated virus definition files are essential in detecting this
Trojan.
The Trojan server is named NMS.exe.
False Positives This rule can generate a false positive if a web
request goes out on port 5032, and is responded to by a web server with a
string containing '--'
If you think this rule has a false positives, please help fill it out.
False Negatives None Known
If you think this rule has a false negatives, please help fill it out.
Corrective Action A reboot of the infected machine is recommended. The
Trojan does not start automatically at boot time nor does it change any system
registry settings.
Contributors Original Rule Writer Max Vision <vision@whitehats.com>
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>
Additional References Whitehats arachNIDS
http://www.whitehats.com/info/IDS79
Dark-e:
http://www.dark-e.com/archive/trojans/NetMetro/index.html
Rule References arachnids: 79
------------------------------------------------------------------------------------------------
This message is for the designated recipient only and may
contain privileged, proprietary, or otherwise private information.
If you have received it in error, please notify the sender
immediately and delete the original. Any unauthorized use of
this email is prohibited.
------------------------------------------------------------------------------------------------
[mf2]
-------------------------------------------------------
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink & Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
