[Emerging-Sigs] Microsoft GDI Exploit Symantec Sigs

Matt Jonkman jonkman at jonkmans.com
Wed Apr 16 13:52:48 EDT 2008 

Good idea. I'll drop these into current events until those domains are 
gone.  Thanks Joshua!

Matt

Joshua Gimer wrote:
> Symantec says that they are seeing active exploitation of the recent 
> Microsoft GDI vulnerabilities. Here are some rules to monitor for access 
> to known exploit domains:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: 
> "BLEEDING-EDGE Phishing GDI Exploits MS08-021 igloofamily.com 
> <http://igloofamily.com>"; flow:established,to_server; 
> uricontent:"igloofamily.com <http://igloofamily.com>"; nocase; 
> classtype:misc-attack; 
> reference:url,http://isc.sans.org/diary.html?storyid=4274; sid:1000643; 
> rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: 
> "BLEEDING-EDGE Phishing GDI Exploits MS08-021 amrc.com.tw 
> <http://amrc.com.tw>"; flow:established,to_server; 
> uricontent:"amrc.com.tw <http://amrc.com.tw>"; nocase; 
> classtype:misc-attack; 
> reference:url,http://isc.sans.org/diary.html?storyid=4274; sid:1000644; 
> rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: 
> "BLEEDING-EDGE Phishing GDI Exploits MS08-021 ad.goog1e.googlepages.com 
> <http://ad.goog1e.googlepages.com>"; flow:established,to_server; 
> uricontent:"ad.goog1e.googlepages.com 
> <http://ad.goog1e.googlepages.com>"; nocase; classtype:misc-attack; 
> reference:url,http://isc.sans.org/diary.html?storyid=4274; sid:1000645; 
> rev:1;)
> 
> I have not looked into the exploit specifics yet, but if I get more time 
> today I will send out some others that are a little more specific. 
> (Maybe others have more time and would like to contribute?)
> 
> -- 
> Thx
> Joshua Gimer
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list