Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

signature for blackworm

Hi, do we have a signature for the blackworm, or instructions for creating a custom signature to detect it. (http://isc.sans.org/blackworm)

Thanks.

9 REPLIES
Cisco Employee

Re: signature for blackworm

Even if this has particularly caught the media attention, this is another of those mass-mailer worms. As you may know, for this kind of threat we are relying on our partnership with TrendMicro to decide if and when to write a signature.

So far this threat is still rated as "low" on their website. We don't currently plan to release a signature for this untill their rating has been increased to medium or high.

In the meantime you can use the following custom signature to catch WORM_GREW.A also known as W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife, Win32/Blackmal.F:

Engine: String.TCP

Service Port: 25

Regex String :

\x6d\x41\x70\x4d\x6a\x74\x64\x4e\x45\x51\x78\x4a\x7a\x49\x6a\x53\x79\x46\x49\x4f\x44\x30\x4e\x43\x6b\x31\x4b\x57\x6c\x51\x70\x4e

New Member

Re: signature for blackworm

Other vensors have already produced the signatures for Blackworm (Nyxem.E, Blackmal.E, MyWife, Tearec).

Do Cisco have an update as Feb 3 is the troublesome date?

Simone.

Cisco Employee

Re: signature for blackworm

See the first reply for a custom signature. It is official, from Cisco.

New Member

Re: signature for blackworm

I understand Trend Micro has decided this is a low threat; however others have rated this at a medium. While I understand the partnership with TM I do not understand leaving your customers without adequate IDS coverage for something that is apparently more of threat to them.

The custom signature that you posted here does okay for an SMTP based variant but once this particular worm gets in it will look for open shares. What we need is a way to detect this. From what I saw from Snort it did not look like that was available but instead there were ways to detect the worm trying hit the web site with a counter, possibly showing a machine that is infected, or possible just showing firewall logs.

What would be nice is to not have to worry about the worm because Cisco provided a quality signature and blocked the worm as soon as it sees it. I can create my own custom signatures but when you have customers asking for this and they have paid Cisco for a product plus they are paying support, I do not understand why Cisco will not deliver. Can you explain this other than that is Cisco's answer?

This is just my opinion but as a customer it also affects my decision to remain a customer.

my .02

New Member

Re: signature for blackworm

Please advise how to create a signature (service.http engine?) that would trigger if it finds regex pattern A in an HTTP request which does not contain the pattern B?

Thanks.

Cisco Employee

Re: signature for blackworm

The Cisco IDS/IPS sensors are not an antivirus solution. That being said, because of typical sensor placement, we see the usefulness of the sensor to provide some sort of mitigation in certain instances. For one, we partner with Trend Micro and when there is virus/worm outbreak that is elevated to medium or high, we will package a signature for that worm onto the sensor and release that update - so far, everytime this has happened, the update has been available on CCO in under 8 hours from Trend's initial elevation.

Our goal is to write vulnerability based signatures. Numerous worms/virus spread via the same vulnerability, we catch the attempted exploit of that vulnerability, you stop the worm from spreading. So something like sigID 3338 - LSASS RPC overflow - Sasser, Korgo, RXBot all try to exploit this. Why write signatures for the individual worms when the one that we have stops then all from spreading.

As to BlackWorm, Trend has not elevated this to a medium/high risk outbreak (Trends rating of this is not what we ultimately base our decision on). We currenty don't see this is severe enough to release a signature for. However, there has been a fair amount of interest in it, as such, we've decided to provide a custom signature for those who want it. Based on where most sensors are placed, the smtp based signature provides the best coverage.

New Member

Re: signature for blackworm

Where is the custom signature?

Is it the regex string posted in the previous posting? Do you have more insight on how to create it, what engine etc.?

Cisco Employee

Re: signature for blackworm

It is the regex posted. The engine is listed along with the regex, but to clarify, it's in "string.tcp" and *to* port 25.

New Member

Re: signature for blackworm

Just to add fuel to this discussion, the 4200 brochure says, it will provide protection against network viruses, what does that mean ;-)

http://www.cisco.com/en/US/products/hw/vpndevc/ps4077/index.html

142
Views
5
Helpful
9
Replies