Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Fizzer worm Signature available?

Does anyone know if the Fizzer worm sig is included in S44 or is there a custom signature for the vulnerability? Thank you-

  • Other Security Subjects
2 REPLIES
Cisco Employee

Re: Fizzer worm Signature available?

The Fizzer worm referenced at

http://www.f-secure.com/v-descs/fizzer.shtml

is currently being researched. Currently, we can write signatures to look for the backdoor activity created by the worm. From the F-Secure advisory:

The worm has additional backdoor capabilities. It listens to ports 2018-2021 for commands from a remote host (hacker's computer). The ports are used for the following purposes:

2018 - command port (sending/receiving commands)

2019 - file port (sending/receiving files)

2020 - console port (controlling the worm's behaviour)

2020 - video port (capturing video and sending it out)

The worm can also start an HTTP server on port 81 to provide additional access to an infected computer.

Below are the paramters that you can use to create a custom signature to detect the backdoor activity.

Engine: ATOMIC.TCP

SigName: Fizzer Worm Backdoor

Mask: FIN | SYN | RST | PSH | ACK | URG

SrcPort: 2018

TcpFlags: SYN | ACK

Add additional signatures for ports 2019,2020,81.

This worm also make connections to IRC servers, and an AOL server. We are still investigating these.

Lastly, the worm will send email messages to the to all users in the Outlook addressbook. It is not feasible to write a signature for this because the worm uses random file names.

Bronze

Re: Fizzer worm Signature available?

Upon further investigation, we are recommending the following for custom signatures for the Fizzer worm.

1) Updating code

The worm may attempt to update its code from a website. From an analysis of the worm binary, two possible attempts may be made. Here are parameters for custom signatures.

a)

Engine: STATE.HTTP (3.1) or SERVICE.HTTP (4.0)

UriRegex: /spkyupdate

b)

Engine: STATE.HTTP (3.1) or SERVICE.HTTP (4.0)

UriRegex: /updatesparky

2) IRC Backdoor

The worm will attempt to join an IRC channel from a list of known IRC servers. There are to many combinations to make an effective match. So, here is a custom signature to catch someone joining an IRC channel. This may cause false positives due to legitimate users.

Engine: STRING.TCP

ServicePorts: 6667

Direction: ToService

RegexString: [Jj][Oo][Ii][Nn][ \t]+[#]

93
Views
0
Helpful
2
Replies