As you all know there’s been a variant of Storm that’s XOR encrypting it’s P2P traffic. I didn’t put up sigs for this one specifically as we expected it to change and we’d see a flood of differently encrypting variants. All I could put up was a few sigs looking for UDP packets of certain size and frequency, which has only been slightly successful.

So far we’re only seeing that one variant encrypt, and in better than a month it hasn’t changed it’s key. So I’m going ahead and putting up sigs specifically for that variant. Seems it’s going to stay for a while longer.

alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Worm Encrypted Variant 1 Traffic (1)”; dsize:25; content:”|10 a6
d4 c3|”; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007701; rev:1;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:”BLEEDING-EDGE TROJAN Storm Worm Encrypted Variant 1 Traffic (2)”; dsize:25; content:”|10 a0
d4 c3|”; depth:4; threshold: type both, count 1, seconds 60, track by_src; classtype:trojan-activity; sid:2007702; rev:1;)

Please let me know how they go!

Matt

This entry was posted on Wednesday, November 14th, 2007 at 4:05 am and is filed under New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.