Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Preparing for Feb 3rd(CME-24) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Preparing for Feb 3rd(CME-24)
Preparing for Feb 3rd(CME-24)

We received a lot of suggestions about measures against CME-24. In other words,
how to prepare for Feb 3rd, in despite of the Anti-virus.

What follows bellow is a compiled list of those. Some were tested, but some not.

Update:

Javier Romero sent a link to a Spanish Article regarding CME-24 detection:
"Cómo detectar el virus CME-24 Kamasutra /Nyxgen / MyWife / Blackworm antes del 3 febrero"


- The rule bellow, made by Per Kristian Johnsen with Telenor Security Center,
is said to detect attempts to copy WINZIP_TMP.exe to shares. According to the author,
they are being able to detect infected machines where the already published
snort/sourcefire rule couldn't:

alert tcp any any -> any 135:139 (msg:"Nyxem attempting to copy WINZIP_TMP.exe to shares"; flow:to_server,established; content:"|57 00 49 00 4e 00 5a 00 49 00 50 00 5f 00 54 00 4d 00 50 00 2e 00 65 00 78 00 65|"; reference:url,www.lurhq.com/blackworm.html; classtype:trojan-activity; sid:5000173; rev:1;)

- We had another user that used sms to scan drives files with a size of 95,690 named

%Windir%\Rundll16.exe
%System%\scanregw.exe
%System%\Winzip.exe
%System%\Update.exe
%System%\WINZIP_TMP.EXE
%System%\SAMPLE.ZIP
%System%\New WinZip File.exe
movies.exe
Zipped Files.exe


- A security Dweeb at a large California municipal government agency wrote a batch script that:

"1) looks for the infected file names existence
on %windir% and %sysdir% using simple DIR /B commands. Output is sent to
uniquely named text file (with a non-standard extension). Infected
workstations will show a non-zero file size. Batch file is below; uses
environment vars that are unique to user and computer name.
2) The batch file will be placed in the login script for all
computers.
3) Ensure that verified backups are completed tonight (Wed).

Batch file:
@echo off
dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
dir  /b %WinDir%\system\Update.exe  >> %username%_%computername%.rgh
dir /b  %WinDir%\system\scanregw.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\Rundll16.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b c:\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b %Temp%\word.zip                                        .exe  >>
%username%_%computername%.rgh

Although dangerous, we think we have a very low chance of a problem.
According to LURQ, there are only 15K computers in US that have
contacted the "counter" site. And we have other protections in place
(blocking of all executables in mail attachments, current anti-virus
updates, etc.)"

Update: Another user suggested quotes in the script above, as showed bellow:
dir  /b "%Temp%\word.zip                                        .exe"  >>
%username%_%computername%.rgh

-----------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org )
Pedro

155 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!