Storm Worm False Positives - How can I really detect it?

Unanswered Question
Oct 29th, 2007

I'm running a small army of IPS sensors in our network, and since upgrading the sensors and MARS today, I've seen huge numbers of signature 5894, the Storm Worm signature. Now, the signature specifies that it can fire for any nginx server, and I speculate that that's what is happening (it's fired for yahoo sites, etc).

So, is there any way I can more finely tune this, or is there other traffic that would be present in the case that a workstation was truly infected? Our users have shown a concern about this Storm Worm and I need to be prepared.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mhellman Tue, 10/30/2007 - 06:47

Take a look here for a pretty good analysis of the worm:

Storm is constantly evolving, so YMMV. Based on the paper, the 5894-1 signature should detect infected machines. 5894-0 is not so good and will generate all sorts of false positives on a network with a reasonable amount of user web browsing traffic.


This Discussion