[Emerging-Sigs] Sig Adobe Reader vulnerability exploited in the wild
jgimer at gmail.com
Sat Nov 8 12:12:10 EST 2008
Outgoing connections to where? There was nothing in your ISC post? Maybe the
rule focus is incorrect, we could write a rule to watch for these outgoing
With roughly 10,000 machines there is no way that I am going to be able to
minimize the risk that is associated with this active exploitation through
patching Adobe installations. That was why I was trying to find another way
to find possibly infected machines.
On Sat, Nov 8, 2008 at 2:01 AM, Bojan Zdrnja (SANS ISC) <bojan.isc at gmail.com
> On Sat, Nov 8, 2008 at 2:53 AM, Joshua Gimer <jgimer at gmail.com> wrote:
> > All,
> > Could you please review this sig? I am far from being even decent at
> > these rules, but thought that I would create one for the worm activity
> > has been reported to SANS ISC due to the lack of Anti-Virus coverage.
> > http://isc.sans.org/diary.html?storyid=5312
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> > CVE-2008-2992 Adobe Reader PDF Exploit"; flow:established,to_server;
> > content:"|25 50 44 46|";
> > pcre:"util\.printf\(unescape(\(""\+"%"\+")?25%34%35%30%30%30%66"?\),
> > (nm)?\)"; classtype:malware-activity;
> > reference:url,isc.sans.org/diary.html?storyid=5312;
> > reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992;
> > sid:2008117; rev:1;)
> deflated in the PDF document.
> Frankly, this doesn't look to me like something we should write a sig
> for -- there are just too many ways for obfuscating things and
> changing the content.
> Probably the best way is to catch outgoing connections, once the
> machine gets infected.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs