Snort Sig for Novarg

[S3cur|ty4ng31]

I dissassemble all the files of the Novarg virus and I managed to put a snort rule together that can Identify the virus

alert tcp any any -> any any (msg:"Virus - Novarg"; content:"|26 6a 6f 65 3f 6e 65 6f 2f|"; sid:31337; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)

[576869746568617]

You beat me to it!

Way to go, and thanks for saving me some work.

[S3cur|ty4ng31]

Well one thing I forgot to mention is I devloped this rule for getting my mail over http, really if you have a mail server you need something MIME encoded so here is part 2:

alert tcp any any -> any 25 (msg:"Virus - Novarg"; content:"JmpvZT9uW8v"; sid:31338; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)

Now I dont think Ive covered every variation because I hear that they are all a little different but so far its tested and works on emails with the subejct hi or test and contain document.zip, body.zip, file.zip, doc.zip and all these in there unzipped format.

I am going to continue hacking this program up today and if I find anything different or new Ill post here

[576869746568617]

I pasted a link to this thread in the W32.Novarg main thread so folks can get the rules from either.

Keep up the good work!

[S3cur|ty4ng31]

Ok this should be a complete list, it covers the file transfering in the norm and it also cover for mime encoding
the mime encoding had thrown me off because the virus it not identical and the 3 bytes-> 4 6 bit numbers ->Base64 ASCII threw me off, but this is a complete list and should cover any variations, if anyone gets any false positives or false negatives please let me know

alert tcp any any -> any any (msg:"Virus - Novarg"; content:"|26 6a 6f 65 3f 6e 65 6f 2f|"; sid:31337; classtype:misc-activity; rev:1

alert tcp any any -> any 25 (msg:"Virus - Novarg(1)"; content:"JmpvZT9uZW8v";content:"b2xk"; sid:31338; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)

alert tcp any any -> any 25 (msg:"Virus - Novarg(2)"; content:"am9lP25l"; content:"bGQt"; sid:31339; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)

alert tcp any any -> any 25 (msg:"Virus - Novarg(3)"; content:"b2U/bmVv"; content:"ZC1Q"; sid:31340; classtype:misc-activity; rev:1; reference:url,www.cert.org/incident_notes/IN-2004-01.html;)

[qod]

Thanks for this great rule files.

[576869746568617]

HAve you posted these rules to www.snort.org? I'm pretty sure they would appreciate it!

[S3cur|ty4ng31]

I will I just wanted to make sure there was no errors, there has been several posts already to snort-sigs but nothing was completely accrurate or vast enough to cover the possible byte shifts from the different foms of the virus.

Im certain my rules are correct but Im waiting to see if theres another variation of the virus or if they could possibly produce a false positve

[576869746568617]

So far, my IDS hasn't had a false positive, so I'm assuming they're pretty accurate. Thanks again, that Base64 was making my head hurt so bad that I had half a rule written when you posted your first one.

Way to go!

[Tanker135]

To: S3cur|ty4ng31
I've created a rules files with your posting and am taking hits from outside my firewall. It would appear that some novarg virus traffic is originating from our mail server, however my mail administrator claims it could not happen, as he's installed Norton's protection software. He does claim that Norton automatically responds to senders of novarg that the're infected. Could the automatic response be the cause of the hits I'm seeing coming from the inside of my network?

Thanks!