[prev in list] [next in list] [prev in thread] [next in thread] 

List:       arachnids
Subject:    [arachNIDS] Lion Worm information posted
From:       Max Vision <vision () whitehats ! com>
Date:       2001-04-05 12:50:03
[Download RAW message or body]

I have posted a writeup on the Lion Worm, covering all three versions, at
http://whitehats.com/library/worms/lion/

Since the worm uses LSD's bind exploit, both the infoleak and tsig attacks
used by the worm are already detected by arachNIDS signature exports.  The
relevant signatures are:

http://whitehats.com/info/IDS482
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS482/named-exploit-infoleak-lsd"; \
content: "|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; \
reference:arachnids,482;)

http://whitehats.com/info/IDS489
alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/named-exploit-tsig-lsd"; \
content: "|3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F20|"; \
reference:arachnids,489;)

Feedback welcome,
Max


[prev in list] [next in list] [prev in thread] [next in thread]