[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Gimiv Pings
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2008-10-24 18:42:26
Message-ID: 49021712.7090207 () jonkmans ! com
[Download RAW message or body]
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gimiv
Infection Ping Outbound"; icode:0; itype:8; dsize:20;
content:"abcde12345fghij6789";
classtype:trojan-activity; sid:2008726; rev:1;)
Caught the Gimiv samples in the sandnet making an outbound ping to two
google IPs. They must be hardcoded as it does not look them up. But the
payload is unique, as seen above.
This sig is posted, and I'll put up one for inbound pings, just in case
it uses that to start ping sweeps.
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic