[Emerging-Sigs] 3 Sigs: Google Chrome Mem Corrupt & Mebromi Rootkit

Kevin Ross kevross33 at googlemail.com
Tue Oct 4 18:12:58 EDT 2011


And another for this. In samples on 2 ports (3163 & 8181 or something)
making like this to avoid false negatives as not sure if may be others
used).

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/Mebromi
Bios Rootkit CnC Count Checkin"; flow:established,to_server;
content:"/Count.asp?UserID="; offset:4; depth:25; content:"&MAC=";
distance:1; within:10; content:"&Process="; distance:0;
classtype:trojan-activity; reference:url,
http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20;
reference:url,
http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/;
sid:1232323; rev:1;)

Kev

On 4 October 2011 19:44, Kevin Ross <kevross33 at googlemail.com> wrote:

> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT
> Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt";
> flow:established,to_client; content:".pdf|22|><|2F|iframe>"; nocase;
> content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
> content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
> content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
> content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
> content:".pdf|22|><|2F|iframe>"; nocase; distance:0;
> classtype:attempted-user; reference:bid,49933; reference:cve,2011-2841;
> sid:1330091; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET 806 (msg:"ET TROJAN W32/Mebromi
> Bios Rootkit CnC Checkin"; flow:established,to_server;
> content:".php?userid="; content:"&time="; distance:0; content:"&msg=";
> distance:0; content:"&ver="; distance:0; content:"&os="; distance:0;
> content:"&fy="; distance:0; content:"&pauid="; distance:0;
> content:"&checkId="; distance:0; classtype:trojan-activity; reference:url,
> http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20;
> reference:url,
> http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/;
> sid:1232321; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/Mebromi Bios Rootkit CnC Checkin 2"; flow:established,to_server;
> content:".asp?ver="; http_uri; content:"&tgid="; http_uri;
> content:"&address="; http_uri; content:"&flag="; http_uri;
> content:"&alexa="; http_uri; content:"&List="; http_uri;
> classtype:trojan-activity; reference:url,
> http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20;
> reference:url,
> http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/;
> sid:1232322; rev:1;)
>
> Regards, Kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/2edc2ee1/attachment.html


More information about the Emerging-sigs mailing list