Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1201
Views
0
Helpful
4
Replies

Signatures related to confickr worm

johnny_utah
Level 1
Level 1

‎03-18-2009 04:57 AM - edited ‎03-10-2019 04:33 AM

Can someone please tell me if there has been a signature generated for the confickr worm and if not, what current signature or set of signatures I might want to key off when looking for this worm?

Labels:
0 Helpful
4 Replies 4

wsulym
Cisco Employee
Cisco Employee

‎03-18-2009 06:19 AM

Try this. Go here:

http://tools.cisco.com/security/center/home.x

Type "conficker" into the search box up top...

You get here:

http://tools.cisco.com/security/center/viewAlert.x?alertId=17121

Scroll way down to the linked signature section and you'll see:

7280-0, 7280-1 - these two are signatures that trigger on the smb vulnerability.

13491-0, 13492-0 - these two are meta signatures that make use of existing sigs 5602-0 5605-0 5589-0 to localize infected machines brute forcing their way about. Note that 5602, 5605, and 5589 need to be enabled for the meta signatures to fire.

0 Helpful

a.goldsmith
Level 1
Level 1
In response to wsulym

‎03-30-2009 10:53 PM

Is there any way we can use our NAMS to any effect to detect infected hosts?

0 Helpful

michael.d.brown
Level 1
Level 1

‎04-02-2009 08:40 AM

FYI, 5 new IPS signatures were released yesterday all on the intellishield alert.

16293/0 Conficker Worm Shellcode S389 04/01/2009

16293/1 Conficker Worm Shellcode S389 04/01/2009

16293/2 Conficker Worm Shellcode S389 04/01/2009

16296/0 Potential Conficker Command And Control Request S389 04/01/2009

16297/0 Worm Activity - Brute Force S389 04/01/2009

0 Helpful

SludnevTN_2
Level 1
Level 1

‎07-26-2009 01:15 AM

John. Have you found the way to defeat confliker using IOS IPS?

I do not understand why manually UNretired/enabled:

7280/0 Windows Server Service Remote Code Execution S36711/11/2008

7280/1 Windows Server Service Remote Code Execution S36711/11/2008

16293/0 Conficker Worm Shellcode S389 04/01/2009

16293/1 Conficker Worm Shellcode S389 04/01/2009

16296/0 Potential Conficker Command And Control Request S395 04/16/2009

are not triggered in 2 different nets with almost all infected hosts. What I have only noticed a lot of these messages

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:5601 Subsig:1 Sev:100 Windows LSASS RPC Overflow [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:85

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:6946 Subsig:0 Sev:100 Web Client Remote Code Execution Vulnerability [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:90

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:7280 Subsig:0 Sev:100 Windows Server Service Remote Code Execution [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:90

*Jul 25 06:13:23.095: %IPS-4-SIGNATURE: Sig:5600 Subsig:0 Sev:100 Windows ASN.1 Bit String NTLMv2 Integer Overflow [192.168.109.27:1766 -> 192.168.100.118:445] VRF:NONE RiskRating:75

*Jul 25 06:22:47.175: %IPS-4-SIGNATURE: Sig:6764 Subsig:1 Sev:75 Cisco PIX and ASA Time-to-Live DoS [192.168.254.2:0 -> 224.0.0.5:0] VRF:NONE RiskRating:56

*Jul 25 07:15:49.927: %IPS-4-SIGNATURE: Sig:5600 Subsig:0 Sev:100 Windows ASN.1 Bit String NTLMv2 Integer Overflow [192.168.100.93:4658 -> 192.168.103.1:139] VRF:NONE RiskRating:75

But only in during 30 sec. while the signatures are being compiled.

Please help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card