Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-sigs] doc for sids 1:10065->1:10077 (Storm Trojan, Trojan.Peacom)

from [David Morris] Network Security [Permanent Link]
Subject: [Snort-sigs] doc for sids 1:10065->1:10077 (Storm Trojan, Trojan.Peacom)
Date: Thu, 25 Jan 2007 10:42:59 -0500 
Basic documentation for SIDs 1:10065 thru 1:10077 for the 'Storm Trojan' (
Trojan.Peacomm) that is of news lately.

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:  SPECIFIC-THREATS Trojan Peacomm smtp propagation detection"
(1:10065)  (thru sid 1:10077)
--
Sid: 1:10065  (thru 1:10077)
--
Summary: An executable attachment received via e-mail that, once executed by
the user, compromises the users pc by installing
a root kit and a udp communication channel for distribution of SPAM.
--
Impact: High
--
Detailed Information: An executable attachment received via e-mail that,
once executed by the user, compromizes the users pc by installing
a root kit and a udp communication channel for distribution of SPAM. Users
are lured into opening the attachment by describing
it as a video news story related to current news events. The subject/body of
the e-mail varies.

Once compromized, the pc will start sending high volumes (2000-3000
msgs/min) of mail traffic. The backdoor udp communication channel typically
uses udp/4000 and udp/7871 to communicate with a botnet.

Known as Storm Trojan, Trojan.Peacom (Symantec)
--
Affected Systems: Microsoft Windows Operating Systems
--
Attack Scenarios:
--
Ease of Attack: Simple, the user runs an attachment sent to them by e-mail.
--
False Positives: none known
--
False Negatives: none known
--
Corrective Action: Patch Operating System and AntiVirus program. Drop .exe
attachments inbound/outbound. Educate users.
--
Contributors: David Morris, CISSP icurnet@gmail.com
--
Additional References: http://www.symantec.com/outbreak/storm_trojan.html

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-sigs] Bleeding Edge Threats Daily Signature Changes, bleeding
Next by Date:  Re: [Snort-sigs] doc for sids 1:10065->1:10077 (Storm Trojan, Trojan.Peacom), Nigel Houghton
Previous by Thread:  [Snort-sigs] quick question on byte_test bitwise operator, 김동욱01
Next by Thread:  Re: [Snort-sigs] doc for sids 1:10065->1:10077 (Storm Trojan, Trojan.Peacom), Nigel Houghton
Indexes:  [Date] [Thread] [Top] [All Lists]