[Emerging-Sigs] 3 Sigs: Google Chrome Mem Corrupt & Mebromi Rootkit

Kevin Ross kevross33 at googlemail.com
Tue Oct 4 14:44:58 EDT 2011


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt";
flow:established,to_client; content:".pdf|22|><|2F|iframe>"; nocase;
content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
classtype:attempted-user; reference:bid,49933; reference:cve,2011-2841;
sid:1330091; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 806 (msg:"ET TROJAN W32/Mebromi
Bios Rootkit CnC Checkin"; flow:established,to_server;
content:".php?userid="; content:"&time="; distance:0; content:"&msg=";
distance:0; content:"&ver="; distance:0; content:"&os="; distance:0;
content:"&fy="; distance:0; content:"&pauid="; distance:0;
content:"&checkId="; distance:0; classtype:trojan-activity; reference:url,
http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20;
reference:url,
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/;
sid:1232321; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Mebromi Bios Rootkit CnC Checkin 2"; flow:established,to_server;
content:".asp?ver="; http_uri; content:"&tgid="; http_uri;
content:"&address="; http_uri; content:"&flag="; http_uri;
content:"&alexa="; http_uri; content:"&List="; http_uri;
classtype:trojan-activity; reference:url,
http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20;
reference:url,
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/;
sid:1232322; rev:1;)

Regards, Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/93820b1c/attachment.html


More information about the Emerging-sigs mailing list