Signatures related to confickr worm

Unanswered Question
Mar 18th, 2009
User Badges:

Can someone please tell me if there has been a signature generated for the confickr worm and if not, what current signature or set of signatures I might want to key off when looking for this worm?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
wsulym Wed, 03/18/2009 - 06:19
User Badges:
  • Cisco Employee,

Try this. Go here:

http://tools.cisco.com/security/center/home.x


Type "conficker" into the search box up top...


You get here:

http://tools.cisco.com/security/center/viewAlert.x?alertId=17121


Scroll way down to the linked signature section and you'll see:


7280-0, 7280-1 - these two are signatures that trigger on the smb vulnerability.


13491-0, 13492-0 - these two are meta signatures that make use of existing sigs 5602-0 5605-0 5589-0 to localize infected machines brute forcing their way about. Note that 5602, 5605, and 5589 need to be enabled for the meta signatures to fire.

a.goldsmith Mon, 03/30/2009 - 22:53
User Badges:

Is there any way we can use our NAMS to any effect to detect infected hosts?

michael.d.brown... Thu, 04/02/2009 - 08:40
User Badges:

FYI, 5 new IPS signatures were released yesterday all on the intellishield alert.


16293/0 Conficker Worm Shellcode S389 04/01/2009

16293/1 Conficker Worm Shellcode S389 04/01/2009

16293/2 Conficker Worm Shellcode S389 04/01/2009

16296/0 Potential Conficker Command And Control Request S389 04/01/2009

16297/0 Worm Activity - Brute Force S389 04/01/2009


SludnevTN_2 Sun, 07/26/2009 - 01:15
User Badges:

John. Have you found the way to defeat confliker using IOS IPS?

I do not understand why manually UNretired/enabled:

7280/0 Windows Server Service Remote Code Execution S36711/11/2008

7280/1 Windows Server Service Remote Code Execution S36711/11/2008

16293/0 Conficker Worm Shellcode S389 04/01/2009

16293/1 Conficker Worm Shellcode S389 04/01/2009

16296/0 Potential Conficker Command And Control Request S395 04/16/2009


are not triggered in 2 different nets with almost all infected hosts. What I have only noticed a lot of these messages

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:5601 Subsig:1 Sev:100 Windows LSASS RPC Overflow [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:85

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:6946 Subsig:0 Sev:100 Web Client Remote Code Execution Vulnerability [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:90

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:7280 Subsig:0 Sev:100 Windows Server Service Remote Code Execution [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:90

*Jul 25 06:13:23.095: %IPS-4-SIGNATURE: Sig:5600 Subsig:0 Sev:100 Windows ASN.1 Bit String NTLMv2 Integer Overflow [192.168.109.27:1766 -> 192.168.100.118:445] VRF:NONE RiskRating:75

*Jul 25 06:22:47.175: %IPS-4-SIGNATURE: Sig:6764 Subsig:1 Sev:75 Cisco PIX and ASA Time-to-Live DoS [192.168.254.2:0 -> 224.0.0.5:0] VRF:NONE RiskRating:56

*Jul 25 07:15:49.927: %IPS-4-SIGNATURE: Sig:5600 Subsig:0 Sev:100 Windows ASN.1 Bit String NTLMv2 Integer Overflow [192.168.100.93:4658 -> 192.168.103.1:139] VRF:NONE RiskRating:75


But only in during 30 sec. while the signatures are being compiled.

Please help.

Actions

This Discussion