Common Worms/Viruses
This is just a quick list of worms/viruses that have plagued mankind over the last year or so. I have tried to include the most bothersome ones such as Code Red as well as the more interesting or novel worms. Common behaviors include means of transmission, victim selection methods, and social engineering techniques.
Organization
These have been loosely categorized as the following:Windows Worms - Require NO human interaction to spread.
UNIX/Linux Worms - Same as above.
Email/WWW/Shares/IRC - Require some human interaction - open attachment, view mail, execute program, etc.
Then, within each category they have been further divided into:
Novel or Otherwise Important - Either it is the first of its kind, does something new, or gained a lot of attention for some other reason.
Copiers of Less Consequence - Nothing new, but included for the sake of completeness.
Links to more worm information
CertF-Secure - Their virus section has information relating to both worms and viruses.
Most Recent Worms
Klez - January 2002Sharpei - Feb. 2002: Attacks .NET architecture
Donut - Jan. 2002: "First" to attack .NET architecture
Windows Worms
Novel or Otherwise Important:
Nimda WormCode Red v1
Code Red II
sadmind/IIS Worm(Widows/Solaris)
Copiers of Less Consequence:
UNIX/Linux Worms
Novel or Otherwise Important:
Adore WormBIND vulnerabilities
Lion Worm
Cheese Worm
Ramen toolkit
Copiers of Less Consequence:
Email/WWW/Shares/IRC (viruses)
Novel or Otherwise Important:
Melissa Macro VirusLove Letter
W32/Sircam Malicious Code
W32/BadTrans Worm
W32/Goner Worm
Copiers of Less Consequence:
VBS/OnTheFly (Anna Kournikova) Malicious CodeOthers that we might want to look at:
CIH Chernobyl
Happy 99
Worm.ExploreZip
Bubbleboy
The Love Bug or I LOVE YOU
Snort Signatures
Code Red v1web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida attempt"; uricontent:".ida?"; nocase; dsize:>239; flags:A+; reference:arachnids,552; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1243; rev:2;)
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .ida access"; uricontent:".ida"; nocase; flags:A+; reference:arachnids,552; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1242; rev:2;)
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq attempt"; uricontent:".idq?"; nocase; dsize:>239; flags:A+; reference:arachnids,553; classtype:web-application-attack; reference:cve,CAN-2000-0071; sid:1244; rev:2;)
web-iis.rules:alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .idq access"; uricontent:".idq"; nocase; flags:A+; reference:arachnids,553; classtype:web-application-activity; reference:cve,CAN-2000-0071; sid:1245; rev:2;)
Note that these rules tend to over generalize, requiring admins to reduce false alarms by inserting large numbers of exempt or exception rules.
Code Red v2
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS CodeRed v2 root.exe access"; flags: A+; uricontent:"scripts/root.exe?"; nocase; classtype:web-application-attack; reference:url,www.cert.org/advisories/CA-2001-19.html; sid:1256; rev:3;)
This rule is rather targetted, but is easily thwarted by adding a polymorphic script name instead of
root.exe.
Nimda Worm
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|E|00|M|00|L"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|N|00|W|00|S"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; flags:A+; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1295; rev:2;)
Here are signatures for three of the Nimda infection vectors (email, web, and file shares)
Ramen toolkit
alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flags: A+; content: "GET "; depth: 8; nocase;reference:arachnids,460; classtype:bad-unknown; sid:506; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm outgoing"; flags: A+; content: "GET "; depth: 8; nocase;reference:arachnids,461;classtype:bad-unknown; sid:514; rev:1;)
Nothing special here, just look for communication on a specific port doing CGI GET requests.
Two rules are needed to cover both incoming and outgoing attacks.
sadmind/IIS Worm
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC sadmind worm access"; flags:A+; content:"GET x HTTP/1.0"; offset:0; depth:15; classtype:attempted-recon; reference:url,www.cert.org/advisories/CA-2001-11.html; sid:1375; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; flags:A+; sid:1272; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:2;)
Rules for both the sadmind worm and its RPC infection mechanisms. The RPC signatures look for part of
the shellcode in the buffer overflow. The IIS signature just looks at "GET x HTTP/1.0" web server
requests.
BIND vulnerabilities
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig overflow attempt"; flags:A+; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; reference:bugtraq,2302; reference:arachnids,482; classtype:attempted-admin; sid:303; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|/bin/sh"; classtype:attempted-admin; sid:314; rev:5; reference:cve,CVE-2001-0010; reference:bugtraq,2302;)
Again, these attempt to match known shellcode used to exploit the BIND service.
Love Letter
W32/Sircam Malicious Code
VBS/OnTheFly (Anna Kournikova) Malicious Code
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; content: "filename="; content:".txt.vbs"; nocase; sid:795; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; content: "filename="; content:".xls.vbs"; nocase; sid:796; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; content: "filename="; content:".jpg.vbs"; nocase; sid:797; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; content: "filename="; content:".gif.vbs"; nocase; sid:798; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; content: "filename=\"TIMOFONICA.TXT.vbs\""; nocase; reference:MCAFEE,98674; sid:799; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; content: "filename=\"NORMAL.DOT\""; nocase; reference:MCAFEE,98661; sid:800; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; content: "filename="; content:".doc.vbs"; nocase; sid:801; classtype:misc-activity; rev:3;)
alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; content: "filename=\"tune.vbs\""; nocase; reference:MCAFEE,10497; sid:740; classtype:misc-activity; rev:3;)
Outlook hides known file extensions (unless disabled), so this has become a common way to trick the
user into opening an infected message. The above signatures attempt to detect the transmission of
such mass-mailer worms.
W32/Goner Worm
alert tcp any 110 -> any any (msg:"Virus - Possible scr Worm"; content: ".scr"; nocase; sid:729; classtype:misc-activity; rev:3;)
Looks for transmission of MS screensaver files (.scr)
Addam Schroll Last modified: Mon Feb 25 17:33:27 EST 2002