Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
460
Views
0
Helpful
5
Replies

Microsoft DCOM RPC Worm

vsantana
Level 1
Level 1

‎08-12-2003 11:41 AM - edited ‎03-09-2019 04:24 AM

Has Cisco deployed or will deploy soon an IDS signature to detect this worm?

Labels:
0 Helpful
5 Replies 5

HEATH FREEL
Level 1
Level 1

‎08-12-2003 11:50 AM

Yes - IDS-sig-3.1-3-S49.bin is the one for version 3.1 of the sensor - but I cant get it installed properly.

0 Helpful

mcerha
Level 3
Level 3

‎08-12-2003 12:06 PM

Yes, signatures 3327 and 3328 in signature update S49 will catch the buffer overflow attack used by the worm. Due to false positives, signature 3327 should be tuned to just inspect traffic on port 135, not ports 139 or 445. In addtion, you can add a custom signature to catch a host infected by the atempting to request a copy of worm payload file using TFTP. Here are the necessary parameters:

Engine STRING.UDP

SigName MS Blast Worm TFTP Request

ServicePorts 69

RegexString \x00\x01[Mm][Ss][Bb][Ll][Aa][Ss][Tt][.][Ee][Xx][Ee]\x00

Direction ToService

0 Helpful

bwheeler
Level 1
Level 1
In response to mcerha

‎08-14-2003 01:20 PM

I have updated our IDS to signature update S49, and added the custom signature that you suggested. I know that there are infected computers on our network, but nothing shows up. Any ideas ?

0 Helpful

klwiley
Cisco Employee
Cisco Employee
In response to bwheeler

‎08-14-2003 02:53 PM

Whether or not your sensor will see this worm on your network depends on the positioning of your sensor due to the nature of the way the worm spreads. It limits most of it's scanning activity to the local network segment of the infected host. If your sensor is positioned such that only inter-network communication is seen and it can not see intra-network communication you will probably not see many if any alarms.

0 Helpful

d.twaddle
Level 1
Level 1
In response to klwiley

‎08-15-2003 08:18 AM

Here are a few more custom signatures, including the one posted above, to detect variants.

Engine STRING.UDP

SigName MS Blast Worm TFTP Request

ServicePorts 69

RegexString \x00\x01[Mm][Ss][Bb][Ll][Aa][Ss][Tt][.][Ee][Xx][Ee]\x00

Direction ToService

Engine STRING.UDP

SigName MS Blast Worm B TFTP Request penis32.exe

ServicePorts 69

RegexString \x00\x01[Pp][Ee][Nn][Ii][Ss][3][2][.][Ee][Xx][Ee]\x00

Direction ToService

Engine STRING.UDP

SigName MS Blast Worm C TFTP Request teekids.exe

ServicePorts 69

RegexString \x00\x01[Tt][Ee][Ee][Kk][Ii][Dd][Ss][.][Ee][Xx][Ee]\x00

Direction ToService

Engine STRING.UDP

SigName MS Blast Worm TFTP Request smsx.exe

ServicePorts 69

RegexString \x00\x01[Ss][Mm][Ss][Xx][.][Ee][Xx][Ee]\x00

Direction ToService

0 Helpful
Customers Also Viewed These Support Documents