Urgent Alert: Possible BlackWorm DDay February 3rd (Snort signatures included)

Tue Jan 24 16:16:45 UTC 2006

Hello.

This is an urgent alert released by the cooperative efforts of the MWP /
DA groups that also worked on the hurricane Rita scams. This task force is
now known as the TISF BlackWorm task force.
This task force involves many in the security (anti spam, CERTs, anti
virus, academia, ISP's, etc.) community and industry, working together to
combat threats to the security of the Internet in cooperation with law enforcement globally.

Anti Viruses companies each have a chosen name for this, but for
operational reasons as well as simplicity we choose BlackWorm. This is
what we submit for CME. A CME entry should hopefully be created shortly.

Buttom line:
1. Update anti viruses urgently.
2. See Snort signatures below.

A special SANS Diary page should be setup soon to process information for
Snort signatures for this as we refine them:
http://isc.sans.org/blackworm
(Current Snort sigs are at the footer of this email message)

General information and updates will be found also at:
http://blogs.securiteam.com

Actual information and background:

This worm will destroy certain data files on an infected user's
machine. So far about 700K users have been infected. We know this because
of a counter which the malware author made use of.
That machine is nothing but a counter and there is no reason at this time
to blackhole it, as it would harm our attempts to respond to this
incident.
We are however coordinating a possible action of this sort with the right
people if that becomes necessary.

We believe the counter to be real and the number of infected users to be
mostly accurate.

We are working with law enforcement and the ISP to get a list of infected
IP's so that we can inform the respected ISP's of the possibly infected
users in their net-space.

DDay is February 3rd (i.e. that is when the worm becomes destructive).

However effective or ineffective this may be, we urge users to update
their anti viruses as soon as possible and scan their computers and/or
networks.

This risk may turn out to be nothing and whatever happens, the Internet is
NOT going to die. We would however rather attempt to prevent this DDay on
February 3rd regardless.

Further, Joe Stewart (jstewart at lurhq.com) has come up with the Snort
signatures below to help detect infected users in your net-space. False
positives should be reported to him.

It should be noted that the worm connects to the counter only once on
connection, however it keeps trying to DDoS Microsoft. Both these methods
can be used to track down the infected users at risk.

These signatures and this alert should soon also be on BleedingSnort and
the SANS Diary, as well as come from different CERTs.

Snort SIgnatures:

1. This sig alerts if someone visits any counter at webstats.web.rcn.net
without a Referrer: header in their URL. Could be an infected user,
could be one of us checking out the counter stats:

alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)

2. This sig alerts on the specific pattern BlackWorm uses to test
connectivity to www.microsoft.com. It's unique in that the request
doesn't have a User-agent: header. So this will catch BlackWorm and
possibly other automated requests to microsoft (which could happen if
someone codes a sloppy app that uses the exact same pattern - but they
should probably be flogged anyway)

alert tcp any any -> any 80 (msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm infection)"; dsize:92;
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";
classtype:misc-activity; sid:1000377; rev:1;)

Thanks, we will update further as information becomes available, if
necessary.

Good luck,

	Gadi.