Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Sn

from [Gadi Evron] Network Security [Permanent Link]
Subject: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)
Date: Tue, 24 Jan 2006 10:15:56 -0600 (CST) 
Hello.

This is an urgent alert released by the cooperative efforts of the MWP /
DA groups that also worked on the hurricane Rita scams. This task force is
now known as the TISF BlackWorm task force.
This task force involves many in the security (anti spam, CERTs, anti
virus, academia, ISP's, etc.) community and industry, working together to
combat threats to the security of the Internet in cooperation with law 
enforcement globally.

Anti Viruses companies each have a chosen name for this, but for
operational reasons as well as simplicity we choose BlackWorm. This is
what we submit for CME. A CME entry should hopefully be created shortly.

Buttom line:
1. Update anti viruses urgently.
2. See Snort signatures below.

A special SANS Diary page should be setup soon to process information for
Snort signatures for this as we refine them:
http://isc.sans.org/blackworm
(Current Snort sigs are at the footer of this email message)

General information and updates will be found also at:
http://blogs.securiteam.com

Actual information and background:

This worm will destroy certain data files on an infected user's
machine. So far about 700K users have been infected. We know this because
of a counter which the malware author made use of.
That machine is nothing but a counter and there is no reason at this time
to blackhole it, as it would harm our attempts to respond to this
incident.
We are however coordinating a possible action of this sort with the right
people if that becomes necessary.

We believe the counter to be real and the number of infected users to be
mostly accurate.

We are working with law enforcement and the ISP to get a list of infected
IP's so that we can inform the respected ISP's of the possibly infected
users in their net-space.

DDay is February 3rd (i.e. that is when the worm becomes destructive).

However effective or ineffective this may be, we urge users to update
their anti viruses as soon as possible and scan their computers and/or
networks.

This risk may turn out to be nothing and whatever happens, the Internet is
NOT going to die. We would however rather attempt to prevent this DDay on
February 3rd regardless.

Further, Joe Stewart (jstewart@lurhq.com) has come up with the Snort
signatures below to help detect infected users in your net-space. False
positives should be reported to him.

It should be noted that the worm connects to the counter only once on
connection, however it keeps trying to DDoS Microsoft. Both these methods
can be used to track down the infected users at risk.

These signatures and this alert should soon also be on BleedingSnort and
the SANS Diary, as well as come from different CERTs.

Snort SIgnatures:

1. This sig alerts if someone visits any counter at webstats.web.rcn.net
without a Referrer: header in their URL. Could be an infected user,
could be one of us checking out the counter stats:

alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)

2. This sig alerts on the specific pattern BlackWorm uses to test
connectivity to www.microsoft.com. It's unique in that the request
doesn't have a User-agent: header. So this will catch BlackWorm and
possibly other automated requests to microsoft (which could happen if
someone codes a sloppy app that uses the exact same pattern - but they
should probably be flogged anyway)

alert tcp any any -> any 80 (msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
classtype:misc-activity; sid:1000377; rev:1;)

Thanks, we will update further as information becomes available, if
necessary.

Good luck,

        Gadi.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] iDefense Security Advisory 01.23.06: Computer Associates iTechnology iGateway Service Content-Length Buffer Overflow Vulnerability, labs-no-reply@idefense.com
Next by Date:  [Full-disclosure] [USN-246-1] imagemagick vulnerabilities, Martin Pitt
Previous by Thread:  [Full-disclosure] iDefense Security Advisory 01.23.06: Computer Associates iTechnology iGateway Service Content-Length Buffer Overflow Vulnerability, labs-no-reply@idefense.com
Next by Thread:  Re: [Full-disclosure] Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included), Dude VanWinkle
Indexes:  [Date] [Thread] [Top] [All Lists]