[Emerging-Sigs] 3 Sigs: Google Chrome Mem Corrupt & Mebromi Rootkit

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 4 23:18:12 EDT 2011

Already covered in Pro sig 2803811, will move it over to the Open set.


On Oct 4, 2011, at 6:12 PM, Kevin Ross wrote:

> And another for this. In samples on 2 ports (3163 & 8181 or something) making like this to avoid false negatives as not sure if may be others used).
> alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN W32/Mebromi Bios Rootkit CnC Count Checkin"; flow:established,to_server; content:"/Count.asp?UserID="; offset:4; depth:25; content:"&MAC="; distance:1; within:10; content:"&Process="; distance:0; classtype:trojan-activity; reference:url,http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20; reference:url,http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; sid:1232323; rev:1;)  
> Kev

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/3d1c1c6d/smime.bin

More information about the Emerging-sigs mailing list