Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] MS05-039 Worm in the wild - Snort sigs attached (they are n

from [Harper, Patrick] Network Security [Permanent Link]
Subject: [Snort-sigs] MS05-039 Worm in the wild - Snort sigs attached (they are not mine)
Date: Sun, 14 Aug 2005 11:37:07 -0500 
http://isc.sans.org/diary.php?date=2005-08-14

MS05-039 Worm
Starting around 11:30 UTC, we've received several reports on a new worm
variant that makes use of MS05-039 to spread. If you're not patched yet,
this is your last call.

F-Secure named the critter "Zotob.A",http://www.f-secure.com/weblog/

We've also received a submission of a binary called "pnpsrv.exe", which
is
recognized by ClamAV as Trojan.Spybot-123. Another reader has
contributed
evidence that a successful exploit by Zotob.A (or variant)

The worm will download the main payload from the infecting machine. Once
a
machine is infected, it will become an ftp server itself. It will scan
for
open port 445/tcp. Once it finds a system with port 445 listening, it
will
try to use the PnP exploit to download and execute the main payload via
ftp.

Important facts so far:
- Patch MS05-039 will protect you
- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as
the
worm does not use a valid logon.
- Blocking port 445 will protect you (but watch for internal infected
systems)
- The FTP server does not run on port 21. It appears to pick a random
high
port.


Quick FTP log:

open aaa.bbb.ccc.ddd 31656
user 1 1
get winpnp.exe
quit

(IP address obfuscated).

We'll keep adding to this diary as new information becomes available.

Thanks so far to Johnathan Norman from Alert Logic for a lot of the
details.
Other good information can be found at the F-Sececure weblog
athttp://www.f-secure.com/weblog/
Also see the Microsoft MS05-039 bulletin from last
week:http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Please submit any new code captures via our contact page:
http://isc.sans.org/contact.php
If possible, do not pack/encrypt the uploads, maybe provide an md5 sum
to
preserve the code in its original beauty.

Shown below are Snort rules, submitted by the members of the Alert Logic
Security Research Team:
Jeremy Hewlett, Technical Director of Security Research
Johnathan Norman, Sr. Security Analyst
Chris Baker, Technical Director of Security Operations


alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000
Plug and Play Vulnerability"; flow:to_server,established;
content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|";
depth:2;
offset:65;
content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bu
llet
in/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)

alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows
2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%";
depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65;
content:"|3600|"; offset:110; within:5;
content:"|F6387A76|";reference:url,www.microsoft.com/technet/security
/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)

alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft
Windows
2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%";
depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65;
content:"|3600|"; offset:110; within:5;
content:"|F6387A76|";reference:url,www.microsoft.com/technet/secur
ity/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132;
rev:1;)

-----------------------------------------
Disclaimer:
This electronic message, including any attachments, is confidential and
intended solely for use of the intended recipient(s). This message may
contain information that is privileged or otherwise protected from
disclosure by applicable law. Any unauthorized disclosure,
dissemination, use or reproduction is strictly prohibited. If you have
received this message in error, please delete it and notify the sender
immediately.



-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleedingsnort.com Daily Update, bleeding
Next by Date:  [Snort-sigs] MS05-039 and Zotob worm, Nigel Houghton
Previous by Thread:  [Snort-sigs] Sourcefire VRT Certified Rules Update, Sourcefire VRT
Next by Thread:  Re: [Snort-sigs] MS05-039 Worm in the wild - Snort sigs attached (they are not mine), purplebag
Indexes:  [Date] [Thread] [Top] [All Lists]