In light of the number of storm worm emails out there, it’s been suggested we put some sigs up for them. The attachments are predictable, so they’re pretty reliable sigs:

alert tcp any any -> $HOME_NET 25 (msg:”BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (patch-)”; flow:established,to_server; content:”filename=|22|patch|2e|”; nocase; pcre:”/patch-\d{4,5}\x2ezip/i”; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2612; sid:2003571; rev:1;)

alert tcp any any -> $HOME_NET 25 (msg:”BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (bugfix-)”; flow:established,to_server; content:”filename=|22|bugfix|2e|”; nocase; pcre:”/bugfix-\d{4,5}\x2ezip/i”; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2612; sid:2003572; rev:1;)

alert tcp any any -> $HOME_NET 25 (msg:”BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (hotfix-)”; flow:established,to_server; content:”filename=|22|hotfix|2e|”; nocase; pcre:”/hotfix-\d{4,5}\x2ezip/i”; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=2612; sid:2003573; rev:1;)

alert tcp any any -> $HOME_NET 25 (msg:”BLEEDING-EDGE CURRENT EVENTS Probable Storm Worm Email Inbound (removal-)”; flow:established,to_server; content:”filename=|22|removal|2e|”; nocase; pcre:”/removal-\d{4,5}\x2ezip/i”; classtype:attempted-admin; reference
:url,isc.sans.org/diary.html?storyid=2612; sid:2003574; rev:1;)

Please let me know how they fare. We’ll remove them in a week or so, once the volume drops.

Matt

This entry was posted on Friday, April 13th, 2007 at 3:55 pm and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.