Re: [Snort-sigs] MS05-039 Worm in the wild - Snort sigs attached (they are not mine)

Thanks for the heads up Patrick. Fortunately I had already applied the
VRT rules and found that we had an issue when I went to add these. I
think I will stick with the snort.org rules since they seem to have
things covered well and detected it already.

Now if I only had sensors inline I could sleep well tonight. Change
control here I come...

On 8/14/05, Harper, Patrick <Patrick.Harper@phns.com> wrote:
> http://isc.sans.org/diary.php?date=2005-08-14
>
> MS05-039 Worm
> Starting around 11:30 UTC, we've received several reports on a new worm
> variant that makes use of MS05-039 to spread. If you're not patched yet,
> this is your last call.
>
> F-Secure named the critter "Zotob.A",http://www.f-secure.com/weblog/
>
> We've also received a submission of a binary called "pnpsrv.exe", which
> is
> recognized by ClamAV as Trojan.Spybot-123. Another reader has
> contributed
> evidence that a successful exploit by Zotob.A (or variant)
>
> The worm will download the main payload from the infecting machine. Once
> a
> machine is infected, it will become an ftp server itself. It will scan
> for
> open port 445/tcp. Once it finds a system with port 445 listening, it
> will
> try to use the PnP exploit to download and execute the main payload via
> ftp.
>
> Important facts so far:
> - Patch MS05-039 will protect you
> - Windows XP SP2 and Windows 2003 can not be exploited by this worm, as
> the
> worm does not use a valid logon.
> - Blocking port 445 will protect you (but watch for internal infected
> systems)
> - The FTP server does not run on port 21. It appears to pick a random
> high
> port.
>
>
> Quick FTP log:
>
> open aaa.bbb.ccc.ddd 31656
> user 1 1
> get winpnp.exe
> quit
>
> (IP address obfuscated).
>
> We'll keep adding to this diary as new information becomes available.
>
> Thanks so far to Johnathan Norman from Alert Logic for a lot of the
> details.
> Other good information can be found at the F-Sececure weblog
> athttp://www.f-secure.com/weblog/
> Also see the Microsoft MS05-039 bulletin from last
> week:http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx
>
> Please submit any new code captures via our contact page:
> http://isc.sans.org/contact.php
> If possible, do not pack/encrypt the uploads, maybe provide an md5 sum
> to
> preserve the code in its original beauty.
>
> Shown below are Snort rules, submitted by the members of the Alert Logic
> Security Research Team:
> Jeremy Hewlett, Technical Director of Security Research
> Johnathan Norman, Sr. Security Analyst
> Chris Baker, Technical Director of Security Operations
>
>
> alert tcp any any -> any 445 (msg:"EXPLOIT SMB-DS Microsoft Windows 2000
> Plug and Play Vulnerability"; flow:to_server,established;
> content:"|FF|SMB%"; dept h:5; offset:4; nocase; content:"|2600|";
> depth:2;
> offset:65;
> content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bu
> llet
> in/MS05-039.mspx; classtype:attempted-admin; sid:1000130; rev:1;)
>
> alert tcp any any -> any 139 (msg:"EXPLOIT NETBIOS SMB Microsoft Windows
> 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%";
> depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65;
> content:"|3600|"; offset:110; within:5;
> content:"|F6387A76|";reference:url,www.microsoft.com/technet/security
> /Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000131; rev:1;)
>
> alert tcp any any -> any 445 (msg:"EXPLOIT NETBIOS SMB-DS Microsoft
> Windows
> 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%";
> depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65;
> content:"|3600|"; offset:110; within:5;
> content:"|F6387A76|";reference:url,www.microsoft.com/technet/secur
> ity/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:1000132;
> rev:1;)
>
> -----------------------------------------
> Disclaimer:
> This electronic message, including any attachments, is confidential and
> intended solely for use of the intended recipient(s). This message may
> contain information that is privileged or otherwise protected from
> disclosure by applicable law. Any unauthorized disclosure,
> dissemination, use or reproduction is strictly prohibited. If you have
> received this message in error, please delete it and notify the sender
> immediately.
>
>
>
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
> Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs


-- 
Purple Bag
Society of the Crown


-------------------------------------------------------
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs