We have a set of signatures from Don Jackson and the fine folks at Secureworks for the very bad MS08-067. MS released a patch for this out of cycle as there is exploit code, it's remotely exploitable, and there is malware targeting this.
Too many sigs to paste here, so lets use a link to CVS:
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/EXPLOIT/EXPLOIT_MS08-067
Thanks again to Don and the Secureworks guys. This was the result of some very difficult research.
--------------
UPDATE
The trojan Gimiv is being installed via this vulnerability. Caught samples in the sandnet making an outbound ping to two google IPs. They must be hardcoded as it does not look them up. But the payload is unique, as seenin this sig being posted:
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gimiv Infection Ping Outbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; classtype:trojan-activity; sid:2008726; rev:1;)
| < Prev | Next > |
|---|
