Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Signatures related to confickr worm

Can someone please tell me if there has been a signature generated for the confickr worm and if not, what current signature or set of signatures I might want to key off when looking for this worm?

4 REPLIES
Cisco Employee

Re: Signatures related to confickr worm

Try this. Go here:

http://tools.cisco.com/security/center/home.x

Type "conficker" into the search box up top...

You get here:

http://tools.cisco.com/security/center/viewAlert.x?alertId=17121

Scroll way down to the linked signature section and you'll see:

7280-0, 7280-1 - these two are signatures that trigger on the smb vulnerability.

13491-0, 13492-0 - these two are meta signatures that make use of existing sigs 5602-0 5605-0 5589-0 to localize infected machines brute forcing their way about. Note that 5602, 5605, and 5589 need to be enabled for the meta signatures to fire.

New Member

Re: Signatures related to confickr worm

Is there any way we can use our NAMS to any effect to detect infected hosts?

New Member

Re: Signatures related to confickr worm

FYI, 5 new IPS signatures were released yesterday all on the intellishield alert.

16293/0 Conficker Worm Shellcode S389 04/01/2009

16293/1 Conficker Worm Shellcode S389 04/01/2009

16293/2 Conficker Worm Shellcode S389 04/01/2009

16296/0 Potential Conficker Command And Control Request S389 04/01/2009

16297/0 Worm Activity - Brute Force S389 04/01/2009

New Member

Re: Signatures related to confickr worm

John. Have you found the way to defeat confliker using IOS IPS?

I do not understand why manually UNretired/enabled:

7280/0 Windows Server Service Remote Code Execution S36711/11/2008

7280/1 Windows Server Service Remote Code Execution S36711/11/2008

16293/0 Conficker Worm Shellcode S389 04/01/2009

16293/1 Conficker Worm Shellcode S389 04/01/2009

16296/0 Potential Conficker Command And Control Request S395 04/16/2009

are not triggered in 2 different nets with almost all infected hosts. What I have only noticed a lot of these messages

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:5601 Subsig:1 Sev:100 Windows LSASS RPC Overflow [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:85

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:6946 Subsig:0 Sev:100 Web Client Remote Code Execution Vulnerability [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:90

*Jul 25 05:55:53.499: %IPS-4-SIGNATURE: Sig:7280 Subsig:0 Sev:100 Windows Server Service Remote Code Execution [192.168.100.10:1343 -> 192.168.106.74:139] VRF:NONE RiskRating:90

*Jul 25 06:13:23.095: %IPS-4-SIGNATURE: Sig:5600 Subsig:0 Sev:100 Windows ASN.1 Bit String NTLMv2 Integer Overflow [192.168.109.27:1766 -> 192.168.100.118:445] VRF:NONE RiskRating:75

*Jul 25 06:22:47.175: %IPS-4-SIGNATURE: Sig:6764 Subsig:1 Sev:75 Cisco PIX and ASA Time-to-Live DoS [192.168.254.2:0 -> 224.0.0.5:0] VRF:NONE RiskRating:56

*Jul 25 07:15:49.927: %IPS-4-SIGNATURE: Sig:5600 Subsig:0 Sev:100 Windows ASN.1 Bit String NTLMv2 Integer Overflow [192.168.100.93:4658 -> 192.168.103.1:139] VRF:NONE RiskRating:75

But only in during 30 sec. while the signatures are being compiled.

Please help.

756
Views
0
Helpful
4
Replies