[prev in list] [next in list] [prev in thread] [next in thread] 

List:       nfr-users
Subject:    [nfr-users] Sobig.F payload download detection
From:       Matt Bing <mbing () nfr ! net>
Date:       2003-08-22 21:45:39
[Download RAW message or body]

Today at 19:00 UTC, the "Sobig.F" worm will begin to query a list of master
servers for the location of an unknown program to download and execute.
It will continue to query these master servers every Friday and Sunday
between 19:00 and 22:00 UTC. The worm uses it's own NTP client to keep track 
of the time. 

While the current list of master servers is known, the worm can upload a new 
digitally signed list via incoming UDP on ports 995-998. The worm queries the 
master servers via UDP port 8998.

You can use NFR NID's policy package to identify infected machines by alerting 
on packets to UDP port 8998 on the master servers. Add these rules to policy's 
"RULES_UDP" variable:

IMPORTANT NOTE: Since the master list is subject to change, so are these rules. 

"alert   any 12.158.102.205/32 any 8998"
"alert   any 12.232.104.221/32 any 8998"
"alert   any 218.147.164.29/32 any 8998"
"alert   any 24.197.143.132/32 any 8998"
"alert   any 24.202.91.43/32   any 8998"
"alert   any 24.206.75.137/32  any 8998"
"alert   any 24.210.182.156/32 any 8998"
"alert   any 24.33.66.38/32    any 8998"
"alert   any 61.38.187.59/32   any 8998"
"alert   any 63.250.82.87/32   any 8998"
"alert   any 65.177.240.194/32 any 8998"
"alert   any 65.92.186.145/32  any 8998"
"alert   any 65.92.80.218/32   any 8998"
"alert   any 65.93.81.59/32    any 8998"
"alert   any 65.95.193.138/32  any 8998"
"alert   any 66.131.207.81/32  any 8998"
"alert   any 67.73.21.6/32     any 8998"
"alert   any 67.9.241.67/32    any 8998"
"alert   any 68.38.159.161/32  any 8998"
"alert   any 68.50.208.96/32   any 8998"

Technical References :

-  F-Secure: http://www.f-secure.com/v-descs/sobig_f.shtml
-  McAfee:  
	http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561  
_______________________________________________
nfr-users mailing list
nfr-users@nfr.com
http://list.nfr.com/mailman/listinfo/nfr-users
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic