[Emerging-Sigs] Microsoft GDI Exploit Symantec Sigs
Joshua Gimer
jgimer at gmail.com
Wed Apr 16 13:31:52 EDT 2008
Symantec says that they are seeing active exploitation of the recent
Microsoft GDI vulnerabilities. Here are some rules to monitor for access to
known exploit domains:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE
Phishing GDI Exploits MS08-021 igloofamily.com"; flow:established,to_server;
uricontent:"igloofamily.com"; nocase; classtype:misc-attack; reference:url,
http://isc.sans.org/diary.html?storyid=4274; sid:1000643; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE
Phishing GDI Exploits MS08-021 amrc.com.tw"; flow:established,to_server;
uricontent:"amrc.com.tw"; nocase; classtype:misc-attack; reference:url,
http://isc.sans.org/diary.html?storyid=4274; sid:1000644; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE
Phishing GDI Exploits MS08-021 ad.goog1e.googlepages.com";
flow:established,to_server; uricontent:"ad.goog1e.googlepages.com"; nocase;
classtype:misc-attack; reference:url,
http://isc.sans.org/diary.html?storyid=4274; sid:1000645; rev:1;)
I have not looked into the exploit specifics yet, but if I get more time
today I will send out some others that are a little more specific. (Maybe
others have more time and would like to contribute?)
--
Thx
Joshua Gimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20080416/bc669ca9/attachment.html
More information about the Emerging-sigs
mailing list