|
Written by Matt Jonkman
|
|
Wednesday, 09 January 2008 |
|
Interesting trojan, MBR based. (Thought that was all over in the 90's eh?) Analysis here by Gmer: www2.gmer.net/mbr/ Sig is good till it mutates, but we'll keep an eye on it. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ld/mat"; nocase; uricontent:".php"; nocase; content:"|0d 0a|id="; distance:30; content:"&hit="; distance:5; classtype:trojan-activity; sid:2007747; rev:1;) |
|
Last Updated ( Thursday, 10 January 2008 )
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 09 January 2008 |
|
Interesting new trojan around, and a signature from iDefense/Verisign. Information about it here at Websense: www.websense.com/securitylabs/alerts/alert.php?AlertID=835 The submitted signature: #from Matt Richard with Verisign Security Services / iDefense
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 ( msg:"BLEEDING-EDGE TROJAN NPRC Malicious POST Request Possible DOJ or DOT Malware"; flow:to_server; content:"POST"; nocase; offset:0; depth:4; content:"ACCEPT|3A|"; nocase; within:300; content:"POST|2C|"; nocase; within:100; classtype:trojan-activity; reference:url,www.websense.com/securitylabs/alerts/alert.php?AlertID=835; sid:2007748; rev:1;) Please let us know about any false, but the activity is very unique. Should be reliable. Thanks to iDefense/Verisign! |
|
Last Updated ( Wednesday, 09 January 2008 )
|
|
|
Written by Matt Jonkman
|
|
Tuesday, 08 January 2008 |
|
From Victor Julien's Blog Inliniac --------------- Matt Jonkman of Emerging Threats asked me to have a look at the existing Snortsam 2.8.0.1 patch as people were continuing toreport problems with it. I updated it to compile without compiler warnings, build cleanly with debugging enabled, build cleanly with Snort’s IPv6 support enabled and added a check so it won’t act on alerts in IPv6 packets since the Snortsam framework does not support IPv6. Finally I removed the patch script so it’s provided as a ‘normal’ diff. Here is the patch: http://www.inliniac.net/files/snortsam-2.8.0.1.diff Instructions follow... |
|
Last Updated ( Thursday, 10 January 2008 )
|
|
Read more...
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 37 - 40 of 48 |
