I had a couple of false positives regarding this rule, which I found
undocumented.
According to "http://www.snort.org/snort-db/help.html"; I'm supposed
to send the information to this list.
Thanks,
--aj
A. J. Wright -- <ajw@utk.edu>
Senior Security Analyst, Information Security Office
University of Tennessee, Knoxville
--SNIP--
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#
Rule: VIRUS Possible Sober virus set three NTP time check attempt
--
Sid: 1:5323
--
Summary: This rule fires when TCP traffic is initiated from $HOME_NET
to a list of NTP servers known to be used by the Sober virus series.
--
Impact: This event suggests that the source system is infected with
a version of the Sober virus.
--
Detailed Information: Several versions of the Sober e-mail worm
monitor a fixed list of NTP servers to determine when to download and
execute a file from a controlling web server.
This rule fires when Snort sees traffic on port 37/tcp (the port
commonly associated with the "time" protocol) to one of the following
IP addresses:
198.72.72.10 200.254.135.2 208.14.208.19 209.87.233.53
213.239.201.102 216.193.203.2 69.25.96.13
As of May 2006, these resolve to the following names:
10.72.72.198.in-addr.arpa domain name pointer ns1.usg.edu.
2.135.254.200.in-addr.arpa is an alias for 2.0-63.135.254.200.in-
addr.arpa.
2.0-63.135.254.200.in-addr.arpa domain name pointer
garfield.massayonet.com.br.
19.208.14.208.in-addr.arpa domain name pointer verge.greyware.com.
53.233.87.209.in-addr.arpa domain name pointer time1.chu.nrc.ca.
102.201.239.213.in-addr.arpa domain name pointer
hendrek.colo.frell.eu.org.
2.203.193.216.in-addr.arpa domain name pointer valinor.theunixman.com.
13.96.25.69.in-addr.arpa domain name pointer nist1.symmetricom.com.
--
Affected Systems: This email worm affects systems running the
Microsoft Windows family of operating systems.
--
Attack Scenarios: This virus is spread by self-generated email
messages containing a UPX-packed Visual Basic Script. This is
primarily a social engineering attack as the software must be
executed by the user.
--
Ease of Attack: Simple
--
False Positives: This alert is triggered if any system contacts the
aforementioned systems on 37/tcp.
--
False Negatives: Some Sober viruses may contact a different set of
NTP servers or no NTP server at all.
--
Corrective Action: Install up-to-date virus scanning software. Use
that to remove the malicious software from the infected system.
--
Contributors: Original rule writer unknown. This rule was added in
the December 30, 2005 rule update.
Documented by A. J. Wright <ajw@utk.edu> of the University of
Tennessee Information Security Office.
--
Additional References:
In these references, * represents the virus version letter. Due to
the number of Sober versions, this is often A-Z or sometimes A-ZZ or
longer.
F-Secure: Sober.*
Symantec: W32.Sober.*@mm
McAfee: W32/Sober.*@mm
Trend: WORM_SOBER.*
Google: sober ntp
Wikipedia: Sober (computer worm)
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
