|
Written by Matt Jonkman
|
|
Wednesday, 02 January 2008 |
|
A lot of the bots/trojans are using http post type submissions rather than url parameters. This makes it a bit harder for us to write good low load sigs since we can't just rely on the uri preprocessor to keep us in the post header. We will have to move to more of this type of sigs in the future. The risk is we end up applying the sig to an entire binary post, etc. Created by Jeremy Conway with contributions from Steven Adair alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN TROJ_PROX.AFV POST"; flow:to_server,established; content:"POST "; nocase; depth:5; uricontent:".php"; nocase; content:"=|22|sid|22|"; nocase; content:"=|22|up|22|"; nocase; content:"=|22|wbfl|22|"; nocase; content:"=|22|v|22|"; nocase; content:"=|22|ping|22|"; nocase; content:"=|22|guid|22|"; nocase; content:"=|22|wv|22|"; nocase; reference:url,trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FPROXY%2EAFV&VSect=T; classtype:trojan-activity; sid:2007728 rev:1;) Posted, Thanks Jeremy and Steven! |
|
Last Updated ( Wednesday, 02 January 2008 )
|
|
|
Written by Matt Jonkman
|
|
Tuesday, 01 January 2008 |
|
David Glosser has added the list of storm domains in the latest wave of crud to the DNS Blackhole. We have looked at Snort sigs for these, but the binary names and http methods aren't unique enough at this point for reliable sigs. Latest update from David: ---- If you use the listening post, you will be contributing to the fight against spyware and malware by helping us to create a smaller list of "active" domains which can be used by smaller companies whose DNS servers do not have the horsepower to run the full blocklist, among other things.
List Update: All known storm worm domains have been added to the DNS Blackhole List, as well as the usual list of new rogue antivirus and fake codec domains.
More...
|
|
Last Updated ( Tuesday, 01 January 2008 )
|
|
Read more...
|
|
|
Written by Matt Jonkman
|
|
Monday, 31 December 2007 |
# seeing some worms/trojans use an ftp server with all banners stripped out
# on off ports to download payload after the initial compromise.
# Just stats codes, no welcome, etc. Very unique
# something like:
#220
#USER a
#331
#PASS a
#230
#TYPE I
#200
#PORT 10,2,32,214,4,9
#200
#RETR msnnmaneger.exe
#150
#226
#QUIT
#221
alert tcp $HOME_NET 1024: -> any 1024: (msg:"BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - user"; flow:established,frm_server; dsize:>7; content:"USER "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbits:noalert; flowbits:set,ET.strippedfpuser; classtype:trojan-activity; sid:2007715; rev:2;)
alert tcp $HOME_NET 1024: -> any 1024: (msg:"BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - pass"; flowbits:isset,ET.srippedftpuser; flow:established,from_server; dsize:>7; content:"PASS "; depth:5; offset:0; content:" |0d 0a|"; distance:1; flowbitsset,ET.strippedftppass; classtype:trojan-activity; sid:2007717; rev:3;)
alert tcp $HOME_NET 1024: -> any 1024: (msg:"BLEEDING-EDGE ATTACK_RESPONSE Off-Port FTP Without Banners - retr"; flowbits:isset,ET.srippedftppass; flow:established,from_server; dsize:>7; content:"RETR "; depth:5; offset:0; tag:session; classtype:trojan-activity; id:2007723; rev:3;) |
|
Last Updated ( Wednesday, 02 January 2008 )
|
|
|
|
<< Start < Prev 11 12 13 Next > End >>
|
| Results 41 - 44 of 49 |
