[Emerging-Sigs] 3 Sigs: Google Chrome Mem Corrupt & Mebromi Rootkit

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 4 23:32:47 EDT 2011


On Oct 4, 2011, at 2:44 PM, Kevin Ross wrote:

> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt"; flow:established,to_client; content:".pdf|22|><|2F|iframe>"; nocase; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; content:".pdf|22|><|2F|iframe>"; nocase; distance:0; classtype:attempted-user; reference:bid,49933; reference:cve,2011-2841; sid:1330091; rev:1;)
> 

Posting


> alert tcp $HOME_NET any -> $EXTERNAL_NET 806 (msg:"ET TROJAN W32/Mebromi Bios Rootkit CnC Checkin"; flow:established,to_server; content:".php?userid="; content:"&time="; distance:0; content:"&msg="; distance:0; content:"&ver="; distance:0; content:"&os="; distance:0; content:"&fy="; distance:0; content:"&pauid="; distance:0; content:"&checkId="; distance:0; classtype:trojan-activity; reference:url,http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20; reference:url,http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; sid:1232321; rev:1;)
> 

Covered in 2013343 and 2013215. (Dupe coverage in Suricata actually since it doesn't need the port specified, fixing that)

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Mebromi Bios Rootkit CnC Checkin 2"; flow:established,to_server; content:".asp?ver="; http_uri; content:"&tgid="; http_uri; content:"&address="; http_uri; content:"&flag="; http_uri; content:"&alexa="; http_uri; content:"&List="; http_uri; classtype:trojan-activity; reference:url,http://threatexpert.com/report.aspx?md5=b3106dbfb3ab114755af311883f33697%20; reference:url,http://blog.webroot.com/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/; sid:1232322; rev:1;)
> 

Covered in 2802962, which is Win32.QVOD. We have hits on that exactly like this all the way back to february this year….

Not sure what to make of that. 

Matt

> Regards, Kevin
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111004/f18bdb6c/smime-0001.bin


More information about the Emerging-sigs mailing list