Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
284
Views
0
Helpful
2
Replies

Fizzer worm Signature available?

nolasaintfan
Level 1
Level 1

‎05-14-2003 07:29 AM - edited ‎03-09-2019 03:17 AM

Does anyone know if the Fizzer worm sig is included in S44 or is there a custom signature for the vulnerability? Thank you-

Labels:
0 Helpful
2 Replies 2

anthall
Level 1
Level 1

‎05-14-2003 08:47 AM

The Fizzer worm referenced at

http://www.f-secure.com/v-descs/fizzer.shtml

is currently being researched. Currently, we can write signatures to look for the backdoor activity created by the worm. From the F-Secure advisory:

The worm has additional backdoor capabilities. It listens to ports 2018-2021 for commands from a remote host (hacker's computer). The ports are used for the following purposes:

2018 - command port (sending/receiving commands)

2019 - file port (sending/receiving files)

2020 - console port (controlling the worm's behaviour)

2020 - video port (capturing video and sending it out)

The worm can also start an HTTP server on port 81 to provide additional access to an infected computer.

Below are the paramters that you can use to create a custom signature to detect the backdoor activity.

Engine: ATOMIC.TCP

SigName: Fizzer Worm Backdoor

Mask: FIN | SYN | RST | PSH | ACK | URG

SrcPort: 2018

TcpFlags: SYN | ACK

Add additional signatures for ports 2019,2020,81.

This worm also make connections to IRC servers, and an AOL server. We are still investigating these.

Lastly, the worm will send email messages to the to all users in the Outlook addressbook. It is not feasible to write a signature for this because the worm uses random file names.

0 Helpful

mcerha
Level 3
Level 3
In response to anthall

‎05-14-2003 10:41 AM

Upon further investigation, we are recommending the following for custom signatures for the Fizzer worm.

1) Updating code

The worm may attempt to update its code from a website. From an analysis of the worm binary, two possible attempts may be made. Here are parameters for custom signatures.

a)

Engine: STATE.HTTP (3.1) or SERVICE.HTTP (4.0)

UriRegex: /spkyupdate

b)

Engine: STATE.HTTP (3.1) or SERVICE.HTTP (4.0)

UriRegex: /updatesparky

2) IRC Backdoor

The worm will attempt to join an IRC channel from a list of known IRC servers. There are to many combinations to make an effective match. So, here is a custom signature to catch someone joining an IRC channel. This may cause false positives due to legitimate users.

Engine: STRING.TCP

ServicePorts: 6667

Direction: ToService

RegexString: [Jj][Oo][Ii][Nn][ \t]+[#]

0 Helpful
Customers Also Viewed These Support Documents