[Dshield] [Fwd: FW: Interesting article on the New Bugbear vi rus]

Rohit Dhamankar rohitd at tippingpoint.com
Thu Jun 5 19:58:22 GMT 2003


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I don't know if Snort rules exist for detecting emails with a Windows
executable attachment.
Here is a rule which detects a Windows executable (Portable executable
format) attached to an email. Many recent viruses like Palyh, Fizzer and
Bugbear variant will alert on this rule.

-
----------------------------------------------------------------------------
---------------------------
Attachment to an SMTP server:
alert tcp any any -> $SMTP_SERVERS 25 (msg:"Windows 32 Executable
Attachment"; flow:to_server,established;
content:"|0a|TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA"; 
content:"AA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFt"; content:"base64"; nocase;
classtype:misc-activity;rev:1;) 

Attachment being downloaded from POP2 or POP3 server:
alert tcp  any 109:110 ->$INTERNAL_NET any (msg:"Windows 32 Executable
Attachment"; flow:from_server,established;
content:"|0a|TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA"; 
content:"AA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFt"; content:"base64"; nocase;
classtype:misc-activity;rev:1;) 

Attachment being downloaded from IMAP4 server:
alert tcp any 143 -> $IINTERNAL_NET any(msg:"Windows 32 Executable
Attachment"; flow:from_server,established;
content:"|0a|TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAA"; 
content:"AA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFt"; content:"base64"; nocase;
classtype:misc-activity;rev:1;) 
-
----------------------------------------------------------------------------
---------------------------

Rohit


- -----Original Message-----
From: Johannes Ullrich [mailto:jullrich at euclidian.com]
Sent: Thursday, June 05, 2003 12:27 PM
To: list at dshield.org
Subject: [Dshield] [Fwd: FW: Interesting article on the New Bugbear
virus]



(posted for Deborah)


http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci90482
2,00.html


Deborah F Hale
Certified Business Continuity Professional
BCP Enterprise, Inc
Telephone: (712) 252-0361
www.bcpenterprise.com
 


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQA/AwUBPt+g8HAfgHNgKPA3EQKZogCeKTkBxi0+XODg8UlOSwc0K8dlOmUAnjct
KpEtB8DtXMVvHieMqfrEOQ1F
=CglU
-----END PGP SIGNATURE-----



More information about the list mailing list