[prev in list] [next in list] [prev in thread] [next in thread] 

List:       arachnids
Subject:    [arachNIDS] ramen worm signatures (also worm news)
From:       Max Vision <vision () whitehats ! com>
Date:       2001-01-19 23:01:02
[Download RAW message or body]

As I'm sure you've all heard, the Ramen worm has been making the rounds 
over the past few days.  I wrote an analysis of the worm and posted it at 
http://whitehats.com/library/worms/ramen/. I have included a complete 
packet trace of the lifecycle of the worm (libpcap binary and parsed snort 
formats) as well as breakouts for each part of the worm propagation.  I'm 
especially interested in any feedback where people have seen different 
results or more information about the alleged "bl3h" password.  Another 
very interesting item was the time warp that occurs in /var/log/messages 
showing the ftp exploit eight hours into the future.

There are seven signatures mentioned in the analysis, three which are 
existing signatures (IDS441/synscan, IDS442/statdx, and IDS457/lprng).  The 
new ones are as follows:

http://whitehats.com/info/IDS458   ftp-wuftp260-tf8
http://whitehats.com/info/IDS459   probe-Synscan-microsoft
http://whitehats.com/info/IDS460   worm-ramen-asp-retrieval-incoming
http://whitehats.com/info/IDS461   worm-ramen-asp-retrieval-outgoing

I didn't mention this in the analysis but I popped into ircnet to chat with 
Psychoid and he seemed a little unhappy about this worm using his "Synscan" 
scanner as it's backbone.  IMHO, Synscan isn't a bad little scanner for 
some specific purposes.

Oh the worm news... I noticed today that Mixter is publicly admitting that 
he wrote the Millennium worm (analysis circa September 1999 located at 
http://whitehats.com/library/worms/mworm/).  This was obvious but I 
couldn't come out and say it in that write-up because it had been found in 
the wild in trojan form, also on Mixter's website (meant for kiddies to 
download and launch unknowingly) possibly causing some weird legal mix that 
I would rather not propagate or be a part of.

Anyhow, feedback welcome,
Max

[prev in list] [next in list] [prev in thread] [next in thread]