[Emerging-Sigs] anything yet for av2009?

Matt Jonkman jonkman at jonkmans.com
Wed Jan 7 16:47:34 EST 2009


Yes in fact. We have about 6 versions of that in the sandnet. The
following sigs hit on the one I looked at:

2406173 ET RBN Known Russian Business Network Monitored Domains (174)
TCP 89.149.226.24:80

2008152 ET TROJAN Pakes/Cutwall/Kobcka Checkin URL TCP 89.149.226.24:80

2007854 ET MALWARE Suspicious User Agent - Possible Spyware Related
(Mozilla) TCP 89.149.226.24:80


It hits a url of:
GET http://
antivirus-database.com/firstrun.php?product=AV9&aff=&update=0207/av200
9&time=10:50:22%20PM

With the UA "Mozilla"

Should stick out like a sore thumb.

You have one that isn't getting detected?

Matt


Michael Scheidell wrote:
> comes in via web, uses java, installs itself?
> 
> http://www.google.com/search?q=av2009
> 
> -- 
> Michael Scheidell, CTO
> Phone: 561-999-5000, x 1259
>> *| *SECNAP Network Security Corporation
> 
>     * Certified SNORT Integrator
>     * King of Spam Filters, SC Magazine 2008
>     * Information Security Award 2008, Info Security Products Guide
>     * CRN Magazine Top 40 Emerging Security Vendors
> 
> 
> ------------------------------------------------------------------------
> 
> This email has been scanned and certified safe by SpammerTrap®.
> For Information please see www.secnap.com/products/spammertrap/
> <http://www.secnap.com/products/spammertrap/>
> 
> ------------------------------------------------------------------------
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc




More information about the Emerging-sigs mailing list