05-14-2003 07:29 AM - edited 03-09-2019 03:17 AM
Does anyone know if the Fizzer worm sig is included in S44 or is there a custom signature for the vulnerability? Thank you-
05-14-2003 08:47 AM
The Fizzer worm referenced at
http://www.f-secure.com/v-descs/fizzer.shtml
is currently being researched. Currently, we can write signatures to look for the backdoor activity created by the worm. From the F-Secure advisory:
The worm has additional backdoor capabilities. It listens to ports 2018-2021 for commands from a remote host (hacker's computer). The ports are used for the following purposes:
2018 - command port (sending/receiving commands)
2019 - file port (sending/receiving files)
2020 - console port (controlling the worm's behaviour)
2020 - video port (capturing video and sending it out)
The worm can also start an HTTP server on port 81 to provide additional access to an infected computer.
Below are the paramters that you can use to create a custom signature to detect the backdoor activity.
Engine: ATOMIC.TCP
SigName: Fizzer Worm Backdoor
Mask: FIN | SYN | RST | PSH | ACK | URG
SrcPort: 2018
TcpFlags: SYN | ACK
Add additional signatures for ports 2019,2020,81.
This worm also make connections to IRC servers, and an AOL server. We are still investigating these.
Lastly, the worm will send email messages to the to all users in the Outlook addressbook. It is not feasible to write a signature for this because the worm uses random file names.
05-14-2003 10:41 AM
Upon further investigation, we are recommending the following for custom signatures for the Fizzer worm.
1) Updating code
The worm may attempt to update its code from a website. From an analysis of the worm binary, two possible attempts may be made. Here are parameters for custom signatures.
a)
Engine: STATE.HTTP (3.1) or SERVICE.HTTP (4.0)
UriRegex: /spkyupdate
b)
Engine: STATE.HTTP (3.1) or SERVICE.HTTP (4.0)
UriRegex: /updatesparky
2) IRC Backdoor
The worm will attempt to join an IRC channel from a list of known IRC servers. There are to many combinations to make an effective match. So, here is a custom signature to catch someone joining an IRC channel. This may cause false positives due to legitimate users.
Engine: STRING.TCP
ServicePorts: 6667
Direction: ToService
RegexString: [Jj][Oo][Ii][Nn][ \t]+[#]
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide