Home | About Us | FAQ | Signature Downloads | All Projects | Submit a Signature | Mailing Lists | Feeds | Open Job Board | Sponsors | Documentation

  • RSS Latest Docs

    • 2003394
    • SnortConfSamples
    • FastFluxDNSResponseDetection
    • 2007634
    • DilipPatel
    • TestTest123
    • 2003642
    • 2007588
    • 2007688
    • 2007706

  • RSS Latest Sigs

    • VIRUS/TROJAN_PRG
    • VIRUS/TROJAN_Win32.Pakes
    • current-sids.txt
    • CURRENT_EVENTS/CURRENT_WPAD
    • current-sids.txt
    • CURRENT_EVENTS/CURRENT_WPAD
    • current-sids.txt
    • WEB/WEB_Neosploit
    • current-sids.txt
    • VIRUS/TROJAN_Win32.Pakes

  • Recent Comments

    • Buck on Guard.zip Phish, Very targeted, Sig Available
    • Lance on Guard.zip Phish, Very targeted, Sig Available
    • akgunk on Guard.zip Phish, Very targeted, Sig Available
    • Bill475382635','199440348billy@msn.com','','20.134.10.131','2008-05-20 20:38:34','2008-05-20 20:38:34','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-05-21 20:38:34', '2008-05-21 20:38:34', '', 'spam', '', 'comment', '0','0' ) /* on How to Integrate/Use Bleeding Snort Rules
    • Bill370791230','617930106billy@msn.com','','104.199.69.73','2008-05-20 20:03:22','2008-05-20 20:03:22','','0','lynx','comment','0','0'),('0', '', '', '', '', '2008-05-21 20:03:22', '2008-05-21 20:03:22', '', 'spam', '', 'comment', '0','0' ) /* on How to Integrate/Use Bleeding Snort Rules

  • Recent Posts

    • Rule & Firewall Updates Re-enabled
    • I’m Leaving Bleeding Threats!
    • Encrypted Storm Sigs
    • Windows 98 Snort Signature
    • E-Jihad Tool Sigs
    • « Encrypted Storm Traffic
    IDS Policy Manager v2.2 Beta Released! »

    Storm Side C&C Channel

    This new variant of Storm is using a short TCP connection for direct commands apparently. Reverse engineered by Joe Stewart at Secureworks. It’s in essence 4bytes up from the drone, 4bytes back to setup and authenticate eachother.

    These sigs will catch that setup. I can’t imagine many situations where these would false, but it is possible. Please report any issues.

    alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Making initial outbound connection”; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; classtype:trojan-activity; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm; sid:2007640; rev;1;)

    alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Controller Response to Drone via tcp”; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/bin/view/Main/StormWorm; sid:2007641; rev:1;)

    This entry was posted on Monday, October 15th, 2007 at 11:11 pm and is filed under New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    One Response to “Storm Side C&C Channel”

    1. LogicX Says:
      October 16th, 2007 at 11:28 pm

      Skype and perhaps other P2P applications appear to create false positives to these rules. (I was able to confirm, just having skype running, and not even engaging in any use of the service, my linux desktop was able to set this off a number of times)

    Leave a Reply

    You must be logged in to post a comment.

    Entries (RSS) and Comments (RSS)
    Copyright © 2007 Bleeding Edge Threats.
    All trademarks and copyrights on this page are owned by their respective owners. Snort® is a registered trademark of Sourcefire, Inc.