|
Written by Matt Jonkman
|
|
Monday, 05 May 2008 |
|
Seeing how Srizbi has overtaken Storm as most widespread I thought we should have some sigs for the common Srizbi loader url's as we've been doing for Storm. There's been a lot of good feedback on those. Definitely helps tip an admin off to a possible infection, or stop one if you're blocking. The latest spams for Srizbi advertise URL's ending in /My_foto.exe, which ought to be relatively unique. Will just run this till thy move to the next big thing. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)"; flow:established,to_server; uricontent:"/My_foto.exe"; nocase; classtype:trojan-activity; sid:2008188; rev:1;)
|
