Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

W32.BugBear sigs

Anyone have any sigs or network dumps of the bugbear worm/its traffic thats going around now?

-brkn!

5 REPLIES
New Member

Re: W32.BugBear sigs

Did you get any responses? I'd like to have them if you did. I'm thinking SANS, EEYE, or CERT may have them available.

D.

New Member

Re: W32.BugBear sigs

I submitted a TAC Case on this issue and was told by the engineer that contacted me that Cisco has no plans to add a specific signature to capture the BugBear virus. Three days later they released Signature Update 3.1(3)S33. Below is a description of the signature in question from the Cisco Alert.

"Signature 9023 has been added to address the backdoor created by the

W32.Bugbear worm. The signature will fire if a SYN packet is detected destined for TCP port 36794. Any activity on this port may indicate an attacker accessing the Bugbear backdoor. This signature is disabled by default. You can only apply this signature update to IDS-42xx and NRS-xx series Cisco Intrusion Detection System (IDS) sensors. It is not compatible with the WS-X6381-IDS series Intrusion Detection System Module (IDSM). "

Note that this signature is disabled by default (all action codes are set to "0" in packetd.conf), therfore set the action codes to a value higher than 0 and higher than your MinContextLevel to see attempts to access the backdoor port by BugBear.

Bronze

Re: W32.BugBear sigs

Here is an example signature converted from a proposed Snort signature that supposedly fires on the Bugbear worm. It has not been tested. Nor will it be supported or included in a signature update. It may false positive and cause a performance hit on your sensors.

Also, we did release a signature for the BugBear backdoor port in S33. It was a miscommunication that we would not create a signature for that. However, we do not generally write signatures for email born virues like BugBear itself. We believe that anti-virus is the best solution for mitigating these kinds of problems.

___________________________________________________________________________

Current Signature: Engine ATOMIC.TCP SIGID 20000

SigName: Bugbear Worm

___________________________________________________________________________

0 - Edit ALL Parameters

1 - AlarmInterval =

2 - AlarmThrottle = FireOnce

3 - ChokeThreshold = 100

4 - DstPort = 25

5 - FlipAddr =

6 - LimitSummary =

7 * Mask = PSH ACK

8 - MaxInspectLength =

9 - MinHits =

10 - PortRange =

11 - ResetAfterIdle = 15

12 - SigComment =

13 - SigName = Bugbear Worm

14 - SigStringInfo =

15 - SinglePacketRegex =

uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQ

16 - SourcePorts =

17 - SrcPort =

18 * StorageKey = SRC

19 * TcpFlags = PSH ACK

20 - ThrottleInterval = 30

21 - WantFrag =

d - Delete a value

u - UNDO and continue

x - SAVE and continue

___________________________________________________________________________

New Member

Re: W32.BugBear sigs

I have been looking for the BUGBEAR signature in the S33 Sig update but have not been able to find it. Can you give the SIGID for the BUGBEAR signature?

Thanks

Bronze

Re: W32.BugBear sigs

9023. It is just an alarm that can be turned to warn of possible scanning for or usage of the backdoor left by the Bugbear worm.

125
Views
0
Helpful
5
Replies
CreatePlease to create content