topleft
topright

 
Russian based worm exploiting MS08-067 Edit
Wednesday, 26 November 2008 08:52

Great research from Daniel Clemens and Mcafee:

http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/

http://www.packetninjas.net/?p=73

Daniel has put up a signature that ought to be reliable. It's in CURRENT_EVENTS as this worm may not last long. We'll drp it ina couple weeks if so.

As far as we know the existing sigs for the actual MS08-067 will catch the exploit attempts internally.

Some activity seems related to ushealthmart.com. This domain has been known bad for a very long time, and I've personally reported it to GoDaddy where it's registered several times months ago on other trojans. No response unfortunately. Thanks GoDaddy! Making the world a safer place... for someone.

Happy de-worming!!

 

Matt

 
 
New CnC Channel
  
Thursday, 29 May 2008

Jeffrey Brown has put in some new signatures from a new command and control channel discovered in a sandnet sample. No name for it yet, and no AV detection at all. Which is very strange as the sample was discovered and submitted to the AV community over a week ago.

MD5 of the sample in question is 50ce9d2bf24db7cc90b7fba99c413d56. And Jeffrey has written signatures 2008245-2008247 to detect the channel.

The trojan was communicating with www dot cikcik dot com. Previously unknown as hostile.

More updates will be posted to the wiki, and we'll get a name on this thing shortly.

Matt  
Last Updated ( Thursday, 10 April 2008 )
 
Bobax Spam Sigs
  
Wednesday, 09 April 2008
Some great intelligence shared. Seems that the Bobax spam has some very unique and sig'able message-id fields.

If you block on these you ought to reduce the load on your spam filtering systems significantly. Load ought to be manageable even though it's pcre.

In the first one Bobax has a consistently long and setup message-id. It also uses a lower case d in Id, where the norm is all upper.




Here we have a predictable string in the message id, and the same lowercase d. The trailing info is usually caps

These will change over time of course, but they'll be good for a while. Please let me know how these fare! Be sure to pull sigs from the repository and not here, changes may not be reflected here in the future.
 
.