[Emerging-Sigs] Srizbi
Matt Jonkman
jonkman at jonkmans.com
Mon May 5 13:28:51 EDT 2008
Seeing how Srizbi has overtaken Storm as most widespread I thought we
should have some sigs for the common Srizbi loader url's as we've been
doing for Storm. There's been a lot of good feedback on those.
Definitely helps tip an admin off to a possible infection, or stop one
if you're blocking.
The latest spams for Srizbi advertise URL's ending in /My_foto.exe,
which ought to be relatively unique. Will just run this till thy move to
the next big thing.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS Possible Srizbi Trojan EXE Request (My_foto.exe)";
flow:established,to_server; uricontent:"/My_foto.exe"; nocase;
classtype:trojan-activity; sid:2008188; rev:1;)
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list