[prev in list] [next in list] [prev in thread] [next in thread]
List: dragonidsuser
Subject: RE: [Dragonidsuser] JPEG overflow virus sig
From: "Tulo, David" <David.Tulo () ocgov ! com>
Date: 2004-09-29 0:16:09
Message-ID: 6DDEA7AB1E6AD7119C3E0002A543E2AF01A0AE23 () dcex1 ! ocgov ! com
[Download RAW message or body]
This combines the NOOP and beginning header 2 section. Lemme know if you
see false positives with this, I'm running this through my systems now.
T S A B 5 0 W IE:GDI-JPEG-HDR2 JFIF ,
/83/c3/12/c6/03/90/43/3b/d9/75/f8/44/44/44/44/44/44/44/44/44/44/44/44/44/01/
15/19/19/20/1c/20/26/18/18/26/36/26/20/26/36/44/36/2b/2b/36
David R. Tulo, Jr.
Senior Network Forensics Engineer
1400 South Grand Avenue
Santa Ana, CA 92705
(714) 567-7675
David.Tulo@ocgov.com
--------- Email Confidentiality Notice ------- The information in this email
may be confidential, proprietary and/or sensitive and is intended only for
use by the entity or individual to whom it is addressed. If you, the reader
of this email and/or its attachments, are not the intended recipient, you
are hereby notified that any dissemination, distribution, publishing,
modification, storage or copying of this email or any of its attachments is
strictly prohibited. If you have received this communication in error,
please immediately notify the Enterprise Data Center at ocreview@ocgov.com,
and destroy all copies of this message along with any attachments.
-----Original Message-----
From: Tulo, David
Sent: Tuesday, September 28, 2004 4:01 PM
To: 'dragonidsuser@enterasys.com'
Subject: RE: [Dragonidsuser] JPEG overflow virus sig
I'm going to rework the HDR2 sig, that one does appear to have a high false
positive rate...
David R. Tulo, Jr.
Senior Network Forensics Engineer
1400 South Grand Avenue
Santa Ana, CA 92705
(714) 567-7675
David.Tulo@ocgov.com
--------- Email Confidentiality Notice ------- The information in this email
may be confidential, proprietary and/or sensitive and is intended only for
use by the entity or individual to whom it is addressed. If you, the reader
of this email and/or its attachments, are not the intended recipient, you
are hereby notified that any dissemination, distribution, publishing,
modification, storage or copying of this email or any of its attachments is
strictly prohibited. If you have received this communication in error,
please immediately notify the Enterprise Data Center at ocreview@ocgov.com,
and destroy all copies of this message along with any attachments.
-----Original Message-----
From: Tulo, David
Sent: Tuesday, September 28, 2004 3:56 PM
To: 'Mike Iglesias'
Cc: 'dragonidsuser@enterasys.com'
Subject: RE: [Dragonidsuser] JPEG overflow virus sig
Mike,
I'm trying the following signatures out based upon the program posted at
http://www.k-otik.com/exploits/09272004.JpegOfDeathM.c.php. Basically, it
seems that if an exploit is going to be built, it uses the "header2"
section, and if a login account is to be created, it uses various "admin"
headers, of which 6 is the most identifiable. You may want to plug 'em in
and disable the other sigs (maybe except for the FTP sig) to see how these
work. They're pretty exploit-specific, but I don't anticipate a high false
positive rate.
T S A B 5 0 W IE:GDI-JPEG-HDR2 JFIF ,
/44/44/44/44/44/44/44/44/44/44/44/44/44/01/15/19/19/20/1c/20/26/18/18/26/36/
26/20/26/36/44/36/2b/2b/36
T S A B 5 0 W IE:GDI-JPEG-ADMHDR6
/00/00/00/ff/db/00/43/00/08/06/06/07/06/05/08/07/07/07/09/09/08/0a/0c/14/0d/
0c/0b/0b/0c/0b/0b/0c/19/12/13/0f/14
David R. Tulo, Jr.
Senior Network Forensics Engineer
1400 South Grand Avenue
Santa Ana, CA 92705
(714) 567-7675
David.Tulo@ocgov.com
--------- Email Confidentiality Notice ------- The information in this email
may be confidential, proprietary and/or sensitive and is intended only for
use by the entity or individual to whom it is addressed. If you, the reader
of this email and/or its attachments, are not the intended recipient, you
are hereby notified that any dissemination, distribution, publishing,
modification, storage or copying of this email or any of its attachments is
strictly prohibited. If you have received this communication in error,
please immediately notify the Enterprise Data Center at ocreview@ocgov.com,
and destroy all copies of this message along with any attachments.
[Attachment #3 (text/html)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2653.12">
<TITLE>RE: [Dragonidsuser] JPEG overflow virus sig</TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=2>This combines the NOOP and beginning header 2 section. Lemme \
know if you see false positives with this, I'm running this through my systems \
now.</FONT></P>
<P><FONT SIZE=2>T S A B 5 0 W IE:GDI-JPEG-HDR2 JFIF , \
/83/c3/12/c6/03/90/43/3b/d9/75/f8/44/44/44/44/44/44/44/44/44/44/44/44/44/01/15/19/19/20/1c/20/26/18/18/26/36/26/20/26/36/44/36/2b/2b/36 \
</FONT></P> <BR>
<P><FONT SIZE=2>David R. Tulo, Jr.</FONT>
<BR><FONT SIZE=2>Senior Network Forensics Engineer</FONT>
<BR><FONT SIZE=2>1400 South Grand Avenue</FONT>
<BR><FONT SIZE=2>Santa Ana, CA 92705</FONT>
<BR><FONT SIZE=2>(714) 567-7675</FONT>
<BR><FONT SIZE=2>David.Tulo@ocgov.com</FONT>
<BR><FONT SIZE=2>--------- Email Confidentiality Notice ------- The information in \
this email may be confidential, proprietary and/or sensitive and is intended only for \
use by the entity or individual to whom it is addressed. If you, the reader of \
this email and/or its attachments, are not the intended recipient, you are hereby \
notified that any dissemination, distribution, publishing, modification, storage or \
copying of this email or any of its attachments is strictly prohibited. If you \
have received this communication in error, please immediately notify the Enterprise \
Data Center at ocreview@ocgov.com, and destroy all copies of this message along with \
any attachments.</FONT></P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Tulo, David </FONT>
<BR><FONT SIZE=2>Sent: Tuesday, September 28, 2004 4:01 PM</FONT>
<BR><FONT SIZE=2>To: 'dragonidsuser@enterasys.com'</FONT>
<BR><FONT SIZE=2>Subject: RE: [Dragonidsuser] JPEG overflow virus sig</FONT>
</P>
<P><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>I'm going to rework the HDR2 sig, that one does appear to have a \
high false positive rate...</FONT> </P>
<P><FONT SIZE=2>David R. Tulo, Jr.</FONT>
<BR><FONT SIZE=2>Senior Network Forensics Engineer</FONT>
<BR><FONT SIZE=2>1400 South Grand Avenue</FONT>
<BR><FONT SIZE=2>Santa Ana, CA 92705</FONT>
<BR><FONT SIZE=2>(714) 567-7675</FONT>
<BR><FONT SIZE=2>David.Tulo@ocgov.com</FONT>
<BR><FONT SIZE=2>--------- Email Confidentiality Notice ------- The information in \
this email may be confidential, proprietary and/or sensitive and is intended only for \
use by the entity or individual to whom it is addressed. If you, the reader of \
this email and/or its attachments, are not the intended recipient, you are hereby \
notified that any dissemination, distribution, publishing, modification, storage or \
copying of this email or any of its attachments is strictly prohibited. If you \
have received this communication in error, please immediately notify the Enterprise \
Data Center at ocreview@ocgov.com, and destroy all copies of this message along with \
any attachments.</FONT></P>
<P><FONT SIZE=2>-----Original Message-----</FONT>
<BR><FONT SIZE=2>From: Tulo, David</FONT>
<BR><FONT SIZE=2>Sent: Tuesday, September 28, 2004 3:56 PM</FONT>
<BR><FONT SIZE=2>To: 'Mike Iglesias'</FONT>
<BR><FONT SIZE=2>Cc: 'dragonidsuser@enterasys.com'</FONT>
<BR><FONT SIZE=2>Subject: RE: [Dragonidsuser] JPEG overflow virus sig</FONT>
</P>
<P><FONT SIZE=2>Mike,</FONT>
</P>
<P><FONT SIZE=2>I'm trying the following signatures out based upon the program posted \
at <A HREF="http://www.k-otik.com/exploits/09272004.JpegOfDeathM.c.php" \
TARGET="_blank">http://www.k-otik.com/exploits/09272004.JpegOfDeathM.c.php</A>. \
Basically, it seems that if an exploit is going to be built, it uses the \
"header2" section, and if a login account is to be created, it uses various \
"admin" headers, of which 6 is the most identifiable. You may want to \
plug 'em in and disable the other sigs (maybe except for the FTP sig) to see how \
these work. They're pretty exploit-specific, but I don't anticipate a high \
false positive rate.</FONT></P>
<P><FONT SIZE=2>T S A B 5 0 W IE:GDI-JPEG-HDR2 JFIF , \
/44/44/44/44/44/44/44/44/44/44/44/44/44/01/15/19/19/20/1c/20/26/18/18/26/36/26/20/26/36/44/36/2b/2b/36</FONT></P>
<P><FONT SIZE=2> </FONT>
<BR><FONT SIZE=2>T S A B 5 0 W IE:GDI-JPEG-ADMHDR6 \
/00/00/00/ff/db/00/43/00/08/06/06/07/06/05/08/07/07/07/09/09/08/0a/0c/14/0d/0c/0b/0b/0c/0b/0b/0c/19/12/13/0f/14</FONT></P>
<BR>
<BR>
<P><FONT SIZE=2>David R. Tulo, Jr.</FONT>
<BR><FONT SIZE=2>Senior Network Forensics Engineer</FONT>
<BR><FONT SIZE=2>1400 South Grand Avenue</FONT>
<BR><FONT SIZE=2>Santa Ana, CA 92705</FONT>
<BR><FONT SIZE=2>(714) 567-7675</FONT>
<BR><FONT SIZE=2>David.Tulo@ocgov.com</FONT>
<BR><FONT SIZE=2>--------- Email Confidentiality Notice ------- The information in \
this email may be confidential, proprietary and/or sensitive and is intended only for \
use by the entity or individual to whom it is addressed. If you, the reader of \
this email and/or its attachments, are not the intended recipient, you are hereby \
notified that any dissemination, distribution, publishing, modification, storage or \
copying of this email or any of its attachments is strictly prohibited. If you \
have received this communication in error, please immediately notify the Enterprise \
Data Center at ocreview@ocgov.com, and destroy all copies of this message along with \
any attachments.</FONT></P>
</BODY>
</HTML>
_______________________________________________
Dragonidsuser mailing list
For help please follow the below instructions.
You can make subsciption adjustments via email by sending a message to:
Dragonidsuser-request@enterasys.com
with the word `help' in the subject or body (don't include the quotes), and you will \
get back a message with instructions.
You must know your password to change your options (including changing the password, \
itself) or to unsubscribe. If you forget your password, don't worry, you will \
receive a monthly reminder telling you what all your enterasys.com mailing list \
passwords are, and how to unsubscribe or change your options.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic