|
Written by Matt Jonkman
|
|
Wednesday, 20 February 2008 |
|
Caught an interesting Delf variant pushing keylogs up via ftp with a predictable filename. STOR MACHINENAME Keylogger [12_54 AM].txt That's easy enough to follow: alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; classtype:trojan-activity; sid:2007858; rev:1;) Please report issues with it! Matt |
|
Last Updated ( Wednesday, 20 February 2008 )
|
|
|
Written by Matt Jonkman
|
|
Wednesday, 13 February 2008 |
|
Three interesting sigs in from Akash Mahajan of Stillsecure this morning. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Aurigma Image Uploader ImageUploaer4.ocx ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"0x40000"; content:"Acton"; nocase; content:"clsid"; nocase; content:"6E5E167B-1566-4316-B27F-0DDAB3484CF7"; nocase; classtype:web-application-attack; reference:bugtraq,27539; reference:url,isc.sans.org/diary.html?storyid=3929; sid:2007815; rev:2;) The above replaces the previous sig which was just looking for the CLSID. alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Sony ImageStation (SonyISUpload.cab 1.0.
0.38) ActiveX Buffer Overflow Exploit"; flow:to_client,established; content:"0x40000"; nocase; content:"E9A7F5
6F-C40F-4928-8C6F-7A72F2A25222"; nocase; content:"SetLogging"; nocase; reference:url,www.milw0rm.com/exploits/
5086; reference:url,www.milw0rm.com/exploits/5100; classtype:web-application-attack; sid:2007847; rev:1;) For the Sony exploit, and finally: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft DirectSpeechSynthesis Module (XVoice.dll 4.0.4.3303) remote BoF exploit"; flow:to_client,established; content:"clsid"; nocase; content:"EEE78591-FE22-11D0-8BEF-0060081841DE"; nocase; content:"0x40000"; content:"FindEngine"; nocase; reference:url,www.milw0rm.com/exploits/5087; reference:bugtraq,24426; classtype:web-application-attack; sid:2007848; rev:1;) Thanks for submitting these Akash. As always, please report any issues or feedback. Matt |
|
Last Updated ( Monday, 18 February 2008 )
|
|
|
Written by Matt Jonkman
|
|
Tuesday, 12 February 2008 |
|
In keeping with recent tradition we've got a new signature out for the recent wave of Storm crud. It's simple, but the feedback from the New Years and subsequent signatures has been very positive. Note: Storm doesn't exploit any particular vulnerability to spread. (Unless you consider clicking users a true vulnerability). This signature just detects an HTTP request for /valentine.exe, of which the current wave is taking form. http://doc.emergingthreats.net/bin/view/Main/2007835 We'll drop this in a week or two, likely to be replaced by Easter stuff. My official prediction: /happyeaster.exe... Matt |
|
|
|
<< Start < Prev 11 12 13 14 15 16 17 18 19 Next > End >>
|
| Results 49 - 52 of 74 |
