|
|
Allaplw Trojan Sig: msg#00105security.ids.snort.bleedingsnort
In sandboxing one, a couple of us have noticed that the ICMp from this things sweeps has a unique payload. This is posted, please let me know if this ends up hitting on other types of ICMP. alert icmp $HOME_NET any -> any any (msg:”BLEEDING-EDGE WORM Allaple ICMP Sweep”; content:”Babcdefghijklmnopqrstuvwabcdefghi”; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32allapleb.html; sid:2003292; rev:1;) Matt -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats 765-429-0398 765-807-3060 fax http://www.bleedingthreats.net -------------------------------------------- PGP: http://www.bleedingthreats.com/mattjonkman.asc |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Bleeding Edge Threats Daily Signature Changes: 00105, bleeding-WwB1pFISwSkm7effSn6vN9HuzzzSOjJt |
|---|---|
| Next by Date: | New Socks Proxy sigs — For bots: 00105, Matt Jonkman |
| Previous by Thread: | Adobe Sigsi: 00105, Matt Jonkman |
| Next by Thread: | Re: Allaplw Trojan Sig: 00105, Robert Grabowsky |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |