'[Snort-sigs] Rules DB info for SID 793'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] Rules DB info for SID 793
From:       Andy Boncek <khan () gecko ! roadtoad ! net>
Date:       2002-01-24 17:11:12
[Download RAW message or body]

-- 
Andy Boncek			Senior Information Assurance Engineer	Ultimate Ports List
khan@gecko.roadtoad.net		Information Operations, Inc.		http://www.portslist.org/
AIM: Andholio			GPG Key: http://www.boncek.org/khan.txt			

["793.txt" (text/plain)]

Cazz,

	I'd definitely suggest enabling the sig by default, if it already isn't.

-Andy


# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work. 
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
# 
# $Id$
#
# 

Rule: alert tcp any 110 -> any any (msg:"Virus - Mail .VBS"; content:"multipart"; \
content:"name="; content:".vbs"; nocase; sid:793; classtype:misc-activity; rev:3;)   

--
Sid: 793

--
Summary: An email either inbound or outbound contains a ".vbs" attachment.  This \
almost always spells trouble.

--
Impact:  I'm sure that anyone using a computer in the last 20 years understands the \
problems with Viruses and Worms. You could potentially face/or are currently facing a \
Worm or Virus outbreak.  Reaction time matters very much considering the pontentially \
catestrophic systems failure that could occur.  These type of outbreaks are the most \
costly in all of IT security spending (other than not protecting systems in the first \
place!)

--
Detailed Information:  The ".vbs" extension denotes a Visual Basic Script that most \
Windows email programs will execute automatically unless proper anti-virus \
protections are in place.  In recent years, the most virulent of system infections \
have taken the form of a .vbs file emailed to an unsusspecting user who merely clicks \
on the email in the preview pane.

--
Attack Scenarios:  The most likely attack scenario is an infected Worm/Virus .vbs \
attachment to an email.

--
Ease of Attack: Trivial.  A user simply sends a .vbs infected email.

--
False Positives: None currently known.

--
False Negatives:  None currently known.

--
Corrective Action:  There are a wide variety of procedures needed to remedy this type \
of attack.  The references below contain a more detailed discussion, but some brief \
steps can be taken to react and pro-actively address the .vbs problem.

Pro-Active (probably the most important)
- Ensure that .vbs extensions are blocked at either the firewall, email server, or \
both.  There are very few legitimate uses of .vbs files in an email. The \
OpenAnti-Virus Project has an excellent blocking and filtering tool \
                (http://www.openantivirus.org)
- Configure all email clients to disallow .vbs extensions.  There are several methods \
for performing this; however, the most important being disabling the Outlook preview \
pane.  Current versions of Outlook also contain controls for disabling execution of \
                untrusted code, etc.
- EDUCATE USERS ON VIRUS THREAT; KEEP UP WITH AV SIGNATURES

Reactive
- Isolate infected networks and immediately block outbound/inbound .vbs (see \
                pro-active...)
- Isolate problem email accounts, clean for infection.
- "Pull the plug": If it's a very bad outbreak, save everyone else on the Internet a \
headache and disable your Net connection. 

--
Contributors: Andy Boncek <khan@gecko.roadtoad.net>

-- 
Additional References:

OpenAV: http://www.openantivirus.org/

DevX: http://www.devx.com/free/tips/tipview.asp?content_id=3546

Privacy Software Consortium: http://www.nsclean.com/psc-vbs.html

SecurityFocus FOCUS-VIRUS: http://www.securityfocus.com/archive/100/

Virus Bulletin: http://www.virusbtn.com/

WildList: http://www.wildlist.org/


_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic