Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

hello.

this is an urgent alert released by the cooperative efforts of the mwp /
da groups that also worked on the hurricane rita scams. this task force is
now known as the tisf blackworm task force.
this task force involves many in the security (anti spam, certs, anti
virus, academia, isp’s, etc.) community and industry, working together to
combat threats to the security of the internet in cooperation with law enforcement globally.

anti virus companies each have a chosen name for this, but for
operational reasons as well as simplicity we choose blackworm. this is
what we submit for cme. a cme entry should hopefully be created shortly.

buttom line:
1. update anti viruses urgently.
2. see snort signatures below.

a special sans diary page should be setup soon to process information for
snort signatures for this as we refine them:
http://isc.sans.org/blackworm
(current snort sigs are at the footer of this email message)

general information and updates will be found also at:
http://blogs.securiteam.com

actual information and background:

this worm will destroy certain data files on an infected user’s
machine. so far about 700k users have been infected. we know this because
of a counter which the malware author made use of.
that machine is nothing but a counter and there is no reason at this time
to blackhole it, as it would harm our attempts to respond to this
incident.
we are however coordinating a possible action of this sort with the right
people if that becomes necessary.

we believe the counter to be real and the number of infected users to be
mostly accurate.

we are working with law enforcement and the isp to get a list of infected
ip’s so that we can inform the respected isp’s of the possibly infected
users in their net-space.

dday is february 3rd (i.e. that is when the worm becomes destructive).

however effective or ineffective this may be, we urge users to update
their anti viruses as soon as possible and scan their computers and/or
networks.

this risk may turn out to be nothing and whatever happens, the internet is
not going to die. we would however rather attempt to prevent this dday on
february 3rd regardless.

further, joe stewart (jstewart at lurhq.com) has come up with the snort
signatures below to help detect infected users in your net-space. false
positives should be reported to him.

it should be noted that the worm connects to the counter only once on
connection, however it keeps trying to ddos microsoft. both these methods
can be used to track down the infected users at risk.

these signatures and this alert should soon also be on bleedingsnort and
the sans diary, as well as come from different certs.

snort signatures:

1. this sig alerts if someone visits any counter at webstats.web.rcn.net
without a referrer: header in their url. could be an infected user,
could be one of us checking out the counter stats:

alert tcp any any -> any 80 (msg:”webstats.web.rcn.net count.cgi request
without referrer (possible blackworm infection)”;
content:”get /cgi-bin/count.cgi|3f|”; depth:23; content:”df|3d|”;
content:”host|3a 20|webstats.web.rcn.net”; content:!”referer|3a|”;
classtype:misc-activity; sid:1000376; rev:1;)

2. this sig alerts on the specific pattern blackworm uses to test
connectivity to www.microsoft.com. it’s unique in that the request
doesn’t have a user-agent: header. so this will catch blackworm and
possibly other automated requests to microsoft (which could happen if
someone codes a sloppy app that uses the exact same pattern – but they
should probably be flogged anyway)

alert tcp any any -> any 80 (msg:”agentless http request to
www.microsoft.com (possible blackworm infection)”; dsize:92;
content:”get / http/1.1|0d0a|host|3a20|www.microsoft.com|0d0a|
connection|3a20|keep-alive|0d0a|cache-control|3a20|no-cache|0d0a0d0a|”;
classtype:misc-activity; sid:1000377; rev:1;)

thanks, we will update further as information becomes available, if
necessary.

good luck,

gadi evron,
ge@beyondsecurity.com.

Share
  • http://www.bleedingsnort.com Matt Jonkman

    Current iteration, slight tweaks.

    BleedingSnort.

  • http://aviv.raffon.net Aviv Raff

    I will not take for granted the number in the counter as a representative of the real number of ppl who are infected.
    Someone can easily increase the number in the counter, as it doesn’t check for multiple requests from the same IP address.

  • joe doe

    Additional details on the worm (technical) can be found at:
    http://blogs.securiteam.com/index.php/archives/229 and http://www.f-secure.com/v-descs/nyxem_e.shtml

  • sunshine

    The counter numbers may not be 100% accurate as we explained, but hundreds of thousands will be effected as things stand right now.

    We’ve been following that counter and no tampering beyond disconnecting users reporting twice and/or some of us researchers seem to have added to that number. It’s been growing steadily.

    We hope that enough will happen to make this a “nothing”, but people should update their anti viruses for whatever this will help with diminishing the number of effected users.

  • sunshine

    CME number is now available:
    Say hello to CME-24!

    That should help solve the naming confusion.

    Should be on cme.mitre.org shortly.

  • Pingback: Waterloo Systems

  • http://www.soultalkstories.com Roger King

    What anyi virus programmes would you suggest?
    Thanks
    Roger King

  • sunshine

    Any current anti virus should be okay, most of them handle this worm now.

  • Pingback: HCS’s and Gen’s Place » Blog Archive » Blckworm Virus Contains a Timebomb

  • Pingback: Bailradio.Net » Virus Warning!!!

  • http://www.acert.1stiocmd.army.mil Michael Miller

    I work for the Army Computer Response Team and I have been tasked to try to get a listing of the ip’s that are being sent to the counter. We are trying to get a handle on a mitigation strategy to combat this and clean any Army systems that are infected. I read the SANS article (http://isc.sans.org/diary.php?storyid=1067) that had your blog link.

    CNO ACERT TOC ( Mike )

    COMPUTER NETWORK OPERATIONS
    ARMY COMPUTER EMERGENCY RESPONSE TEAM
    TACTICAL OPERATIONS CENTER
    The CNO ACERT TOC can be contacted:
    Via phone at 1-888-203-6332, 703-706-1113, 703-806-1035, DSN 235-1113
    Via secure phone at 1-888-203-6332, 703-706-1113, DSN 235-1113
    Via nonsecure fax at 703-806-1152, DSN 656-1152
    Via secure fax at 703-806-1004, DSN 656-1004
    Via NSTS Phone at 964-7680/7679
    Via Secure ISDN at 703-706-2291/2292
    Via NIPRNET at army.virus@mi.army.mil
    VIA SIPRNET at acert_virus_team@1stiocmd.army.smil.mil
    NIPRNET Website: https://www.acert.1stiocmd.army.mil
    SIPRNET Website: http://www.acert.army.smil.mil
    PGP Key available from the ACERT Website

  • sunshine

    There is a users’ FAQ posted here:
    http://blogs.securiteam.com/?p=260

  • Pingback: HCS's and Gen's Place