[prev in list] [next in list] [prev in thread] [next in thread]
List: arachnids
Subject: [arachNIDS] ramen worm signatures (also worm news)
From: Max Vision <vision () whitehats ! com>
Date: 2001-01-19 23:01:02
[Download RAW message or body]
As I'm sure you've all heard, the Ramen worm has been making the rounds
over the past few days. I wrote an analysis of the worm and posted it at
http://whitehats.com/library/worms/ramen/. I have included a complete
packet trace of the lifecycle of the worm (libpcap binary and parsed snort
formats) as well as breakouts for each part of the worm propagation. I'm
especially interested in any feedback where people have seen different
results or more information about the alleged "bl3h" password. Another
very interesting item was the time warp that occurs in /var/log/messages
showing the ftp exploit eight hours into the future.
There are seven signatures mentioned in the analysis, three which are
existing signatures (IDS441/synscan, IDS442/statdx, and IDS457/lprng). The
new ones are as follows:
http://whitehats.com/info/IDS458 ftp-wuftp260-tf8
http://whitehats.com/info/IDS459 probe-Synscan-microsoft
http://whitehats.com/info/IDS460 worm-ramen-asp-retrieval-incoming
http://whitehats.com/info/IDS461 worm-ramen-asp-retrieval-outgoing
I didn't mention this in the analysis but I popped into ircnet to chat with
Psychoid and he seemed a little unhappy about this worm using his "Synscan"
scanner as it's backbone. IMHO, Synscan isn't a bad little scanner for
some specific purposes.
Oh the worm news... I noticed today that Mixter is publicly admitting that
he wrote the Millennium worm (analysis circa September 1999 located at
http://whitehats.com/library/worms/mworm/). This was obvious but I
couldn't come out and say it in that write-up because it had been found in
the wild in trojan form, also on Mixter's website (meant for kiddies to
download and launch unknowingly) possibly causing some weird legal mix that
I would rather not propagate or be a part of.
Anyhow, feedback welcome,
Max
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic