Encrypted Storm Traffic
A nice fun twist in the Storm worm story. They’re encrypting the edonkey traffic now. Current sigs won’t hit on these particular variants.
I’ve made up some new ones. these are relying on packet size and frequency. The search by md5 and ack packets are constant length, encrypted or not.
Please test there and let me know how they go, especially if they work!
Huge credit goes to Joe Stewart of Secureworks. Excellent work identifying the encryption method!
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Outbound - Likely Search by md5″; dsize:25; threshold: type threshold, count 40, seconds 60, track by_src; classtype:trojan-activity; sid:2007634; rev:1;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Inbound - Likely Connect Ack”; dsize:2; threshold: type threshold, count 10, seconds 60, track by_dst; classtype:trojan-activity; sid:2007635; rev:1;)
alert udp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Inbound - Likely Search by md5″; dsize:25; threshold: type threshold, count 40, seconds 60, track by_dst; classtype:trojan-activity; sid:2007636; rev:1;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Worm Encrypted Traffic Outbound - Likely Connect Ack”; dsize:2; threshold: type threshold, count 10, seconds 60, track by_src; classtype:trojan-activity; sid:2007637; rev:1;)
More detail here
http://doc.bleedingthreats.net/bin/view/Main/StormWorm
Matt
October 15th, 2007 at 2:11 pm
[…] Jonkman over at Bleedingthreats.net has written some signatures to detect Storm nodes on a network in a generic way. These signatures look for certain UDP packet […]