[Emerging-Sigs] Sig Adobe Reader vulnerability exploited in the wild

Joshua Gimer jgimer at gmail.com
Sat Nov 8 12:12:10 EST 2008


Outgoing connections to where? There was nothing in your ISC post? Maybe the
rule focus is incorrect, we could write a rule to watch for these outgoing
connections?

With roughly 10,000 machines there is no way that I am going to be able to
minimize the risk that is associated with this active exploitation through
patching Adobe installations. That was why I was trying to find another way
to find possibly infected machines.

Josh

On Sat, Nov 8, 2008 at 2:01 AM, Bojan Zdrnja (SANS ISC) <bojan.isc at gmail.com
> wrote:

> Joshua,
>
> On Sat, Nov 8, 2008 at 2:53 AM, Joshua Gimer <jgimer at gmail.com> wrote:
> > All,
> >
> > Could you please review this sig? I am far from being even decent at
> writing
> > these rules, but thought that I would create one for the worm activity
> that
> > has been reported to SANS ISC due to the lack of Anti-Virus coverage.
> >
> > http://isc.sans.org/diary.html?storyid=5312
> >
> > alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS
> > CVE-2008-2992 Adobe Reader PDF Exploit"; flow:established,to_server;
> > content:"|25 50 44 46|";
> > pcre:"util\.printf\(unescape(\(""\+"%"\+")?25%34%35%30%30%30%66"?\),
> > (nm)?\)"; classtype:malware-activity;
> > reference:url,isc.sans.org/diary.html?storyid=5312;
> > reference:url,cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2992;
> > sid:2008117; rev:1;)
>
> This won't work because the JavaScript part is obfuscated, and
> deflated in the PDF document.
> Frankly, this doesn't look to me like something we should write a sig
> for -- there are just too many ways for obfuscating things and
> changing the content.
>
> Probably the best way is to catch outgoing connections, once the
> machine gets infected.
>
> Cheers,
>
> Bojan
>



-- 
Thx
Joshua Gimer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20081108/fc744252/attachment.html


More information about the Emerging-sigs mailing list