Sasser Policy?

Hi,

Currently, I'm studying the worm behaviors, such as Blaster, Sasser, ... .
And the policy script blaster.bro can detects instances of the W32.Blaster.

Is there any policy that can be used for detecting Sasser?
Or any other scanning policy can capture the scanning event of Sasser worm?
I would like to understand how (or what approaches) Bro to detect Sasser.

Any help will be appreciated, thanks.

Regards,
Mike

Hello Mike,

The way used by Sasser (version "A") is different from the one used by
Blaster.
First it tries to connect using port tcp/445 instead of tcp/135 then
it'll donwload a binary using FTP (port tcp/5554) and then at least 128
threads are launched.

Seeing "blaster.bro", it should not be too difficult to
adapt it for Sasser (testing for several connections to port 445/tcp)

So an idea, copy blaster.bro to sasser.bro, then modify the
policy new policy :

Hi,

Currently, I'm studying the worm behaviors, such as Blaster, Sasser, ... .
And the policy script blaster.bro can detects instances of the W32.Blaster.

Is there any policy that can be used for detecting Sasser?
Or any other scanning policy can capture the scanning event of Sasser worm?
I would like to understand how (or what approaches) Bro to detect Sasser.

Hi Mike,

Do you want to detect the particular malware Sasser or, more
generally, the class of malware that exploits the same vulnerability
as Sasser does?

For latter, Bro has a DCE/RPC parser that exposes the interface and
function of each RPC request and the one used by Sasser can be easily
identified. Coupled with some length threshold it will make a pretty
precise and robust Sasser vulnerability detector.

Ruoming