|
Written by Matt Jonkman
|
|
Wednesday, 14 May 2008 |
|
New Command and Control Channel found. Seen several samples doing this, usually on ports between 81 and 90. Reference here: http://doc.emergingthreats.net/bin/view/Main/Win32Looked The client sends a 6 byte packet containing usually "#108/!", several tims often. The server eventually responds with another 6 bytes like "#109/!". Signatures 2008219 and 2008220 will catch these well. Matt |
|
|
Written by Matt Jonkman
|
|
Monday, 05 May 2008 |
|
Seeing how Srizbi has overtaken Storm as most widespread I thought we should have some sigs for the common Srizbi loader url's as we've been doing for Storm. There's been a lot of good feedback on those. Definitely helps tip an admin off to a possible infection, or stop one if you're blocking. The latest spams for Srizbi advertise URL's ending in /My_foto.exe, which ought to be relatively unique. Will just run this till thy move to the next big thing. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)"; flow:established,to_server; uricontent:"/My_foto.exe"; nocase; classtype:trojan-activity; sid:2008188; rev:1;) |
|
|
Written by Matt Jonkman
|
|
Monday, 05 May 2008 |
|
I dropped the April Fools Day Storm sigs from Current Events, replaced with the latest, /load.exe. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Storm Worm EXE Request (load.exe)"; flow:established,to_server; uricontent:"/load.exe"; nocase; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1921)|0d 0a|"; classtype:trojan-activity; reference:url,www.sudosecure.net/archives/61; sid:2008077; rev:5;) Thanks to Jeremy at Sudosecure.net for the update! |
|
Last Updated ( Wednesday, 07 May 2008 )
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 1 - 4 of 49 |
