Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)
Hello. This is an urgent alert released by the cooperative efforts of the MWP / DA groups that also worked on the hurricane Rita scams. This task force is now known as the TISF BlackWorm task force. This task force involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally. Anti Viruses companies each have a chosen name for this, but for operational reasons as well as simplicity we choose BlackWorm. This is what we submit for CME. A CME entry should hopefully be created shortly. Buttom line: 1. Update anti viruses urgently. 2. See Snort signatures below. A special SANS Diary page should be setup soon to process information for Snort signatures for this as we refine them: http://isc.sans.org/blackworm (Current Snort sigs are at the footer of this email message) General information and updates will be found also at: http://blogs.securiteam.com Actual information and background: This worm will destroy certain data files on an infected user's machine. So far about 700K users have been infected. We know this because of a counter which the malware author made use of. That machine is nothing but a counter and there is no reason at this time to blackhole it, as it would harm our attempts to respond to this incident. We are however coordinating a possible action of this sort with the right people if that becomes necessary. We believe the counter to be real and the number of infected users to be mostly accurate. We are working with law enforcement and the ISP to get a list of infected IP's so that we can inform the respected ISP's of the possibly infected users in their net-space. DDay is February 3rd (i.e. that is when the worm becomes destructive). However effective or ineffective this may be, we urge users to update their anti viruses as soon as possible and scan their computers and/or networks. This risk may turn out to be nothing and whatever happens, the Internet is NOT going to die. We would however rather attempt to prevent this DDay on February 3rd regardless. Further, Joe Stewart (jstewart@lurhq.com) has come up with the Snort signatures below to help detect infected users in your net-space. False positives should be reported to him. It should be noted that the worm connects to the counter only once on connection, however it keeps trying to DDoS Microsoft. Both these methods can be used to track down the infected users at risk. These signatures and this alert should soon also be on BleedingSnort and the SANS Diary, as well as come from different CERTs. Snort SIgnatures: 1. This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats: alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm infection)"; content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|"; content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|"; classtype:misc-activity; sid:1000376; rev:1;) 2. This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway) alert tcp any any -> any 80 (msg:"Agentless HTTP request to www.microsoft.com (possible BlackWorm infection)"; dsize:92; content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a| Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|"; classtype:misc-activity; sid:1000377; rev:1;) Thanks, we will update further as information becomes available, if necessary. Good luck, Gadi.
participants (1)
-
Gadi Evron