[Emerging-Sigs] Multiple Sigs

Kevin Ross kevross33 at googlemail.com
Thu Oct 14 05:58:50 EDT 2010

Hey, quick answer the now, for the shockwave flash have a look at
http://vicheck.blogspot.com/ (I can't give you a full link as blogspot
filtered at my work). Anyway look at a recent entry about flash PDF exploits
and look at the samples on what behaviour was detected. On the flash
detected ones you will see a lot of different methods but prodomenantly

Now I took into account name representation obfuscation for the /Application
name. I thought seeing as some PDFs use flash and shockwave as part of
exploits (including some recent vulnerabilities such as sids 2011519 &
2011575 in ET WEB_CLIENT which have .swf) that detecting its usage in PDF
files (something I want to know about) may be useful. I will have a look at
the other stuff once I get home. I have been trying to come up with sigs
helping to identify possibly malcious PDF files (with varying degress of


On 13 October 2010 21:56, Daniel Clemens <dclemens at emergingthreatspro.com>wrote:

> Kevin,
> On Oct 13, 2010, at 2:52 PM, Kevin Ross wrote:
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
> Embedded Executable File in PDF, This Program Cannot Be Run in DOS Mode";
> flow:established,to_client; content:"PDF-"; nocase; depth:300; content:"This
> program cannot be run in DOS mode"; nocase; distance:0;
> classtype:bad-unknown; sid:19340002; rev:1;)
> >
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX
> Microsoft Office mshtmled.dll HtmlDlgHelper Class Memory Corruption
> Attempt"; flow:established,to_client; content:"clsid"; nocase;
> content:"3050F4E1-98B5-11CF-BB82-00AA00BDCE0B"; nocase; distance:0;
> content:"CHtmlDlgHelper"; nocase;
> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*3050F4E1-98B5-11CF-BB82-00AA00BDCE0B/si";
> classtype:attempted-user; reference:url,
> www.coresecurity.com/content/MS-Office-HtmlDlgHelper-memory-corruption;
> reference:cve,2010-3329; sid:19340003; rev:1;)
> The vulnerability relies on an office document .doc or .xls being loaded
> and this ActiveX method is called within Excel or Word or office being
> tricked into loading html where this html/activex method is being used.
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
> Suspicious Embedded Shockwave Flash In PDF"; flow:established,to_client;
> content:"PDF-"; depth:300; nocase; content:"x-shockwave-flash"; nocase;
> distance:0;
> pcre:"/(a|#61)(p|#70)(p|#70)(l|#6C)(i|#69)(c|#63)(a|#61)(t|#74)(i|#69)(o|#6F)(n|#6E)(\x2F|#2F)x-shockwave-flash/i";
> classtype:bad-unknown; sid:19340004; rev:1;)
> Can you provide more references for this? I'm curious about this.
> > alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX
> Trend Micro Internet Security Pro 2010 ActiveX extSetOwner Remote Code
> Execution Attempt"; flow:established,to_client; content:"clsid"; nocase;
> content:"15DBC3F9-9F0A-472E-8061-043D9CEC52F0"; nocase; distance:0;
> content:"extSetOwner"; nocase;
> pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15DBC3F9-9F0A-472E-8061-043D9CEC52F0/si";
> classtype:attempted-user; reference:url,
> www.exploit-db.com/trend-micro-internet-security-pro-2010-activex-extsetowner-remote-code-execution/;
> sid:19340005; rev:1;)
> I've really been thinking that even though writing ActiveX rules is a
> necessary evil , (some people want it), exploits will likely always evade
> most if not all ActiveX rules. What do you think?
> Can we start a list discussion on this as a whole?
> | Daniel Uriah Clemens
> | EmergingThreats Pro || c. 205.567.6850
> "Moments of sorrow are moments of sobriety"
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101014/a8b02957/attachment.html

More information about the Emerging-sigs mailing list