[Emerging-Sigs] Gozi/Ordergun/Orderjack sig mod + new

Darren Spruell phatbuckett at gmail.com
Fri Jan 30 17:50:34 EST 2009


Sample:

http://www.offensivecomputing.net/?q=ocsearch&ocq=e7cf9c20f640cf72848281eb90595152

DS

On Fri, Jan 30, 2009 at 3:26 PM, Darren Spruell <phatbuckett at gmail.com> wrote:
> I dug back a bit and found where I got the certs.cgi reference from; a
> new variant (controller: 91.211.65.30) that completely switches around
> some of these CGI names:
>
> --snip--
> Jan 26, 2009 12:37:38.563007000 91.211.65.30    POST /cgi-bin/store.cgi
> Jan 26, 2009 12:37:39.077015000 91.211.65.30    POST /cgi-bin/certs.cgi
> Jan 26, 2009 12:37:39.579690000 91.211.65.30    GET /cgi-bin/data.cgi?...
> Jan 26, 2009 12:37:39.581378000 91.211.65.30    GET /cgi-bin/command.cgi?...
> --snip--
>
> This is distributed as VideoPlayer_10.exe
> (e7cf9c20f640cf72848281eb90595152) in German spam runs. Let me know
> off list if anyone wants a sample.
>
> DS
>
>
> On Fri, Jan 30, 2009 at 1:25 PM, dxp <dxp2532 at gmail.com> wrote:
>> Just to summarize what URIs are available to sig, all POSTs:
>>     /forms.cgi
>>     /pstore.cgi
>>     /cert.cgi
>>     /ss.cgi
>>
>> For GETs it's:
>>     /cmd.cgi
>>     /options.cgi
>>     /file.cgi
>>
>> Not sure about "/file.cgi" but "/cmd.cgi" and "/options.cgi" take parameters
>> which are detected by (at least last time I checked couple of months ago):
>> "ET TROJAN Gozi/Orderjack Reporting User Activity" 2002854
>>
>> I think anchoring with "Content-Disposition" header w/o the "filename="
>> value and "Content-Type" header are good choices in this case.
>>
>> -
>>
>> -=[ dxp ]=-
>> 0xA3F3C6E3
>>
>>
>>
>> On Thu, 2009-01-29 at 16:38 -0700, Darren Spruell wrote:
>>
>> Don't forget ss.cgi (my post 1/28) and looks like there's also a file.cgi
>> too:
>>
>> http://ddanchev.blogspot.com/2008/01/random-js-malware-exploitation-kit.html
>>
>> In addition to cert.cgi I've also picked up from somewhere that
>> certs.cgi has also been used (trying to find reference.)
>>
>> I expect there to be more FPs out there; seen particularly forms.cgi used
>> e.g.:
>>
>> # yeah, it's a GET so no FP on the rule looking for POST but including
>> to illustrate
>> POST http://www.cowgirlartist.com/cgi-bin/forms.cgi
>> GET http://www.wirespring.com/cgi-bin/forms.cgi?form=3&headline=...
>> GET http://www.greenmountainenergy.com/cgi-bin/forms.cgi?form=6
>> GET http://www.sullarete.com/cgi-bin/forms.cgi?form=10
>> POST http://www.courtinfo.ca.gov/cgi-bin/forms.cgi
>> GET http://www.nwsc.org/cgi-bin/forms.cgi?form=1
>>
>> ...and cmd.cgi, options.cgi, file.cgi...:
>>
>> GET  http://www.onlinefutureinc.com/cgi-bin/cmd.cgi?af=415398&u...
>> GET  http://iquote1.neoyen.net.tw/cgi-bin/file.cgi?ARG=otcname.dat
>> GET  http://www.scienceofbeingwell.net/cgi-bin/cmd.cgi?Imp=1006352
>> GET  http://sescompanies.net/cgi-bin/options.cgi?id=US00...
>>
>> Further anchoring with the 'Content-Type: multipart...' header might
>> be worth including still, or there's an opportunity to match on "URL:
>> " for pstore.cgi and forms.cgi and the Content-Disposition and
>> Content-Type values if helpful:.
>>
>> ~~~~~~~~~~
>> POST /cgi-bin/forms.cgi HTTP/1.1
>> Content-Type: multipart/form-data;
>> boundary=--------------------------01400b2f08b7
>> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
>> Host: 77.222.142.56
>> Content-Length: 358
>> Connection: Keep-Alive
>> Cache-Control: no-cache
>>
>> ----------------------------01400b2f08b7
>> Content-Disposition: form-data; name="upload_file";
>> filename="3337220749.0002"
>> Content-Type: application/octet-stream
>>
>> URL: https://example.org
>> foo=bar
>>
>> ----------------------------01400b2f08b7--
>> ~~~~~~~~~~
>>
>> DS
>>
>>
>> On Thu, Jan 29, 2009 at 1:13 PM, dxp <dxp2532 at gmail.com> wrote:
>>> Good point on the PCRE.  It's worth breaking this one down into three
>>> rules
>>> instead:
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
>>> Data Information Leakage (Forms)"; flow:established,to_server;
>>> content:"POST
>>> "; depth:5; uricontent:"/forms.cgi "; classtype:trojan-activity;
>>> sid:XXXXXX;
>>> rev:1;)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
>>> Data Information Leakage (PStore)"; flow:established,to_server;
>>> content:"POST "; depth:5; uricontent:"/pstore.cgi ";
>>> classtype:trojan-activity; sid:XXXXXX; rev:1;)
>>>
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi
>>> Data Information Leakage (Cert)"; flow:established,to_server;
>>> content:"POST
>>> "; depth:5; uricontent:"/cert.cgi "; classtype:trojan-activity;
>>> sid:XXXXXX;
>>> rev:1;)
>>>
>>> -
>>>
>>> -=[ dxp ]=-
>>> 0xA3F3C6E3
>>>
>>>
>>>
>>> On Thu, 2009-01-29 at 13:23 -0500, Matt Jonkman wrote:
>>>
>>> We can't go pcre on this, it'd be just too high a load. Have to stay
>>> with the 3 separate sigs for the main ruleset. but this would be useful
>>> on boxes without load issues.
>>>
>>> Matt
>>>
>>> dxp wrote:
>>>> I just double checked on one sample I have of this trojan from October
>>>> 2008 and the UAS is embeded in the binary.  However, this may change in
>>>> the future and then POSTs will be missed.
>>>>
>>>> I have the following sig applied on my production envrionment for
>>>> several months now and without False Positives:
>>>>
>>>>     alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>>     Gozi Form Data Information Leakage"; flow:established,to_server;
>>>>     content:"POST "; depth:5;
>>>>     pcre:"/\/(forms|pstore|cert)\.cgi\sHTTP\/1\.[01]\x0d\x0a/i";
>>>>     classtype:trojan-activity; sid:XXXXXX; rev:1;)
>>>>
>>>>
>>>> -
>>>>
>>>> -=[ dxp ]=-
>>>> 0xA3F3C6E3
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, 2009-01-28 at 01:50 -0700, Darren Spruell wrote:
>>>>> Picked up a Gozi infected host chatting with controller and noticed a
>>>>> few of the rules could do with an overhaul and a couple more could be
>>>>> added in for POST operations not detected. The base rules were
>>>>> 2003509/2003510/2003511 but I thought there was a couple of issues:
>>>>>
>>>>> - the rules have a content match where a trailing '?' is specified but
>>>>> are then followed by a pcre where it is missing. The communication
>>>>> I've got has no trailing question mark on the POSTs.
>>>>> - the rules seem needlessly heavy on pcre. i substituted content
>>>>> matches instead.
>>>>>
>>>>> # update to 2003511
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>>> Gozi Form Data Information Leakage"; flow:to_server,established;
>>>>> content:"POST /cgi-bin/forms.cgi"; depth:23; content:"|0d
>>>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>>>> reference:url,www.secureworks.com/research/threats/gozi; sid:2003511;
>>>>> rev:3;)
>>>>> # new rule for POSTs of private store data
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>>> Gozi Private Store Information Leakage"; flow:to_server,established;
>>>>> content:"POST /cgi-bin/pstore.cgi"; depth:24; content:"|0d
>>>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>>>> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
>>>>> rev:1;)
>>>>> # new rule for POSTs of screenshot (JPEG) data
>>>>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
>>>>> Gozi Screen Capture Information Leakage"; flow:to_server,established;
>>>>> content:"POST /cgi-bin/ss.cgi"; depth:20; content:"|0d
>>>>> 0a|Content-Type: multipart/form-data\; boundary="; content:"|0d
>>>>> 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)";
>>>>> content:"|0d 0a|Host\: "; classtype:trojan-activity;
>>>>> reference:url,www.secureworks.com/research/threats/gozi; sid:XXXXXXX;
>>>>> rev:1;)
>>>>>
>>>>>
>>>>> There's room for improvement with tightening these down if needed by
>>>>> anchoring the content matches or adding additional payload. Obfuscated
>>>>> requests included below.
>>>>>
>>>>>
>>>>> --- snip forms.cgi ---
>>>>>   0x0000:  4500 02a1 1c37 4000 7a06 d19f 83c9 b0a0  E....7 at .z.......
>>>>>   0x0010:  4dde 8e38 04f3 0050 a837 99c8 e53f 91bf  M..8...P.7...?..
>>>>>   0x0020:  5018 fc00 21df 0000 504f 5354 202f 6367  P...!...POST./cg
>>>>>   0x0030:  692d 6269 6e2f 666f 726d 732e 6367 6920  i-bin/forms.cgi.
>>>>>   0x0040:  4854 5450 2f31 2e31 0d0a 436f 6e74 656e  HTTP/1.1..Conten
>>>>>   0x0050:  742d 5479 7065 3a20 6d75 6c74 6970 6172  t-Type:.multipar
>>>>>   0x0060:  742f 666f 726d 2d64 6174 613b 2062 6f75  t/form-data;.bou
>>>>>   0x0070:  6e64 6172 793d 2d2d 2d2d 2d2d 2d2d 2d2d  ndary=----------
>>>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>>   0x0090:  3031 3430 3062 3266 3038 6237 0d0a 5573  01400b2f08b7..Us
>>>>>   0x00a0:  6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c  er-Agent:.Mozill
>>>>>   0x00b0:  612f 342e 3020 2863 6f6d 7061 7469 626c  a/4.0.(compatibl
>>>>>   0x00c0:  653b 204d 5349 4520 362e 303b 2057 696e  e;.MSIE.6.0;.Win
>>>>>   0x00d0:  646f 7773 204e 5420 352e 3129 0d0a 486f  dows.NT.5.1)..Ho
>>>>>   0x00e0:  7374 3a20 3737 2e32 3232 2e31 3432 2e35  st:.77.222.142.5
>>>>>   0x00f0:  360d 0a43 6f6e 7465 6e74 2d4c 656e 6774  6..Content-Lengt
>>>>>   0x0100:  683a 2033 3538 0d0a 436f 6e6e 6563 7469  h:.358..Connecti
>>>>>   0x0110:  6f6e 3a20 4b65 6570 2d41 6c69 7665 0d0a  on:.Keep-Alive..
>>>>>   0x0120:  4361 6368 652d 436f 6e74 726f 6c3a 206e  Cache-Control:.n
>>>>>   0x0130:  6f2d 6361 6368 650d 0a0d 0a2d 2d2d 2d2d  o-cache....-----
>>>>>   0x0140:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>>   0x0150:  2d2d 2d2d 2d2d 2d30 3134 3030 6232 6630  -------01400b2f0
>>>>>   0x0160:  3862 370d 0a43 6f6e 7465 6e74 2d44 6973  8b7..Content-Dis
>>>>>   0x0170:  706f 7369 7469 6f6e 3a20 666f 726d 2d64  position:.form-d
>>>>>   0x0180:  6174 613b 206e 616d 653d 2275 706c 6f61  ata;.name="uploa
>>>>>   0x0190:  645f 6669 6c65 223b 2066 696c 656e 616d  d_file";.filenam
>>>>>   0x01a0:  653d 2233 3333 3732 3230 3734 392e 3030  e="3337220749.00
>>>>>   0x01b0:  3032 220d 0a43 6f6e 7465 6e74 2d54 7970  02"..Content-Typ
>>>>>   0x01c0:  653a 2061 7070 6c69 6361 7469 6f6e 2f6f  e:.application/o
>>>>>   0x01d0:  6374 6574 2d73 7472 6561 6d0d 0a0d 0a55  ctet-stream....U
>>>>>   0x01e0:  524c 3a20 6874 7470 733a 2f2f xxxx xxxx  RL:.https://xxxx
>>>>>   0x01f0:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>>   0x0200:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>>   0x0210:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>>   0x0220:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>>   0x0230:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>>   0x0240:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>>   0x0250:  xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx  xxxxxxxxxxxxxxxx
>>>>>   0x0260:  6564 6972 6563 742e 6e73 6625 3346 4f70  edirect.nsf%3FOp
>>>>>   0x0270:  656e 0a0d 0a2d 2d2d 2d2d 2d2d 2d2d 2d2d  en...-----------
>>>>>   0x0280:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>>   0x0290:  2d30 3134 3030 6232 6630 3862 372d 2d0d  -01400b2f08b7--.
>>>>>   0x02a0:  0a
>>>>> --- snip ---
>>>>>
>>>>>
>>>>> --- snip pstore.cgi ---
>>>>>   0x0000:  4500 013d 01c6 4000 7a06 ed74 83c9 b0a0  E..=.. at .z..t....
>>>>>   0x0010:  4dde 8e38 043b 0050 9534 9b64 59fd a004  M..8.;.P.4.dY...
>>>>>   0x0020:  5018 fc00 c3af 0000 504f 5354 202f 6367  P.......POST./cg
>>>>>   0x0030:  692d 6269 6e2f 7073 746f 7265 2e63 6769  i-bin/pstore.cgi
>>>>>   0x0040:  2048 5454 502f 312e 310d 0a43 6f6e 7465  .HTTP/1.1..Conte
>>>>>   0x0050:  6e74 2d54 7970 653a 206d 756c 7469 7061  nt-Type:.multipa
>>>>>   0x0060:  7274 2f66 6f72 6d2d 6461 7461 3b20 626f  rt/form-data;.bo
>>>>>   0x0070:  756e 6461 7279 3d2d 2d2d 2d2d 2d2d 2d2d  undary=---------
>>>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>>   0x0090:  2d31 6535 3830 6534 3930 3537 350d 0a55  -1e580e490575..U
>>>>>   0x00a0:  7365 722d 4167 656e 743a 204d 6f7a 696c  ser-Agent:.Mozil
>>>>>   0x00b0:  6c61 2f34 2e30 2028 636f 6d70 6174 6962  la/4.0.(compatib
>>>>>   0x00c0:  6c65 3b20 4d53 4945 2036 2e30 3b20 5769  le;.MSIE.6.0;.Wi
>>>>>   0x00d0:  6e64 6f77 7320 4e54 2035 2e31 290d 0a48  ndows.NT.5.1)..H
>>>>>   0x00e0:  6f73 743a 2037 372e 3232 322e 3134 322e  ost:.77.222.142.
>>>>>   0x00f0:  3536 0d0a 436f 6e74 656e 742d 4c65 6e67  56..Content-Leng
>>>>>   0x0100:  7468 3a20 3136 3630 0d0a 436f 6e6e 6563  th:.1660..Connec
>>>>>   0x0110:  7469 6f6e 3a20 4b65 6570 2d41 6c69 7665  tion:.Keep-Alive
>>>>>   0x0120:  0d0a 4361 6368 652d 436f 6e74 726f 6c3a  ..Cache-Control:
>>>>>   0x0130:  206e 6f2d 6361 6368 650d 0a0d 0a         .no-cache....
>>>>>
>>>>>   0x0000:  4500 05dc 01c7 4000 7a06 e8d4 83c9 b0a0  E..... at .z.......
>>>>>   0x0010:  4dde 8e38 043b 0050 9534 9c79 59fd a004  M..8.;.P.4.yY...
>>>>>   0x0020:  5010 fc00 176e 0000 2d2d 2d2d 2d2d 2d2d  P....n..--------
>>>>>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>>   0x0040:  2d2d 2d2d 3165 3538 3065 3439 3035 3735  ----1e580e490575
>>>>>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>>>>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
>>>>>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
>>>>>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
>>>>>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
>>>>>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
>>>>>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
>>>>>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a 5552 4c3a  t-stream....URL:
>>>>>   0x00d0:  2068 7474 703a 2f2f xxxx xxxx xx2e 636f  .http://xxxxx.co
>>>>>   0x00e0:  6d2f 0a09 4c6f 6769 6e3a 20xx xxxx xxxx  m/..Login:.xxxxx
>>>>>   0x00f0:  xxxx xx40 xxxx xxxx xxxx xxxx xxxx 2e63  xxx at xxxxxxxxxx.c
>>>>> <mailto:xxx at xxxxxxxxxx.c>
>>>>>   0x0100:  6f6d 0a0a                                om..
>>>>> --- snip ---
>>>>>
>>>>>
>>>>>
>>>>> --- snip ss.cgi ---
>>>>>   0x0000:  4500 013a 7832 4000 7a06 770b 83c9 b0a0  E..:x2 at .z.w.....
>>>>>   0x0010:  4dde 8e38 09b6 0050 3536 8438 b717 9b0b  M..8...P56.8....
>>>>>   0x0020:  5018 fc00 0e6d 0000 504f 5354 202f 6367  P....m..POST./cg
>>>>>   0x0030:  692d 6269 6e2f 7373 2e63 6769 2048 5454  i-bin/ss.cgi.HTT
>>>>>   0x0040:  502f 312e 310d 0a43 6f6e 7465 6e74 2d54  P/1.1..Content-T
>>>>>   0x0050:  7970 653a 206d 756c 7469 7061 7274 2f66  ype:.multipart/f
>>>>>   0x0060:  6f72 6d2d 6461 7461 3b20 626f 756e 6461  orm-data;.bounda
>>>>>   0x0070:  7279 3d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ry=-------------
>>>>>   0x0080:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d31 3634  -------------164
>>>>>   0x0090:  6530 3465 3230 3163 360d 0a55 7365 722d  e04e201c6..User-
>>>>>   0x00a0:  4167 656e 743a 204d 6f7a 696c 6c61 2f34  Agent:.Mozilla/4
>>>>>   0x00b0:  2e30 2028 636f 6d70 6174 6962 6c65 3b20  .0.(compatible;.
>>>>>   0x00c0:  4d53 4945 2036 2e30 3b20 5769 6e64 6f77  MSIE.6.0;.Window
>>>>>   0x00d0:  7320 4e54 2035 2e31 290d 0a48 6f73 743a  s.NT.5.1)..Host:
>>>>>   0x00e0:  2037 372e 3232 322e 3134 322e 3536 0d0a  .77.222.142.56..
>>>>>   0x00f0:  436f 6e74 656e 742d 4c65 6e67 7468 3a20  Content-Length:.
>>>>>   0x0100:  3835 3039 330d 0a43 6f6e 6e65 6374 696f  85093..Connectio
>>>>>   0x0110:  6e3a 204b 6565 702d 416c 6976 650d 0a43  n:.Keep-Alive..C
>>>>>   0x0120:  6163 6865 2d43 6f6e 7472 6f6c 3a20 6e6f  ache-Control:.no
>>>>>   0x0130:  2d63 6163 6865 0d0a 0d0a                 -cache....
>>>>>
>>>>>   0x0000:  4500 05dc 7833 4000 7a06 7268 83c9 b0a0  E...x3 at .z.rh....
>>>>>   0x0010:  4dde 8e38 09b6 0050 3536 854a b717 9b0b  M..8...P56.J....
>>>>>   0x0020:  5010 fc00 9e4e 0000 2d2d 2d2d 2d2d 2d2d  P....N..--------
>>>>>   0x0030:  2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d 2d2d  ----------------
>>>>>   0x0040:  2d2d 2d2d 3136 3465 3034 6532 3031 6336  ----164e04e201c6
>>>>>   0x0050:  0d0a 436f 6e74 656e 742d 4469 7370 6f73  ..Content-Dispos
>>>>>   0x0060:  6974 696f 6e3a 2066 6f72 6d2d 6461 7461  ition:.form-data
>>>>>   0x0070:  3b20 6e61 6d65 3d22 7570 6c6f 6164 5f66  ;.name="upload_f
>>>>>   0x0080:  696c 6522 3b20 6669 6c65 6e61 6d65 3d22  ile";.filename="
>>>>>   0x0090:  3333 3337 3232 3037 3439 2e30 3030 3222  3337220749.0002"
>>>>>   0x00a0:  0d0a 436f 6e74 656e 742d 5479 7065 3a20  ..Content-Type:.
>>>>>   0x00b0:  6170 706c 6963 6174 696f 6e2f 6f63 7465  application/octe
>>>>>   0x00c0:  742d 7374 7265 616d 0d0a 0d0a ffd8 ffe0  t-stream........
>>>>>   0x00d0:  0010 4a46 4946 0001 0101 0060 0060 0000  ..JFIF.....`.`..
>>>>> --- snip ---
>>>>>
>>>>
>>>> ------------------------------------------------------------------------
>>>>
>>>> _______________________________________________
>>>> Emerging-sigs mailing list
>>>> Emerging-sigs at emergingthreats.net
>>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>>
>>
>>
>>
>>
>
>
>
> --
> Darren Spruell
> phatbuckett at gmail.com
>



-- 
Darren Spruell
phatbuckett at gmail.com


More information about the Emerging-sigs mailing list