Thanks to you all in the community we have some excellent signature coverage for the MS DirectShow 0-day exploit.
Some background here:
http://www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799
(translated)
http://isc.sans.org/diary.html?storyid=6733
http://www.cisco.com/web/about/security/intelligence/actX-ALPI_amiddleton.html
Signatures latest versions in CVS web (select text to view):
http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl
http://doc.emergingthreats.net/bin/view/Main/2009488
http://doc.emergingthreats.net/bin/view/Main/2009489
http://doc.emergingthreats.net/bin/view/Main/2009490
http://doc.emergingthreats.net/bin/view/Main/2009491
http://doc.emergingthreats.net/bin/view/Main/2009492
http://doc.emergingthreats.net/bin/view/Main/2009493
You'll notice two signatures looking for domain names in HTTP requests. Latest intelligence shows these two domains being used in exploits. We'll remove those sigs once that threat has passed or the domains have been taken down.
Please share any info you can!
Matt
UPDATE:
Some killbit info:
http://node5.blogspot.com/2009/07/adm-template-that-sets-killbits-for.html
| < Prev | Next > |
|---|
