|
|
|
Monday, 14 April 2008 |
|
A lot of the bots/trojans are using http post type submissions rather than url parameters. This makes it a bit harder for us to write good low load sigs since we can't just rely on the uri preprocessor to keep us in the post header. We will have to move to more of this type of sigs in the future. The risk is we end up applying the sig to an entire binary post, etc.
|
|
|
|
|
Thursday, 10 April 2008 |
|
As you may know, Cyber-ta (http://www.cyber-ta.net) is one of the projects we're working very closely with to bring some new tools and research to the Security community. They've just released a new information source called MTC, Malware Threat Center. The project has only begun, so if you see new ideas or data that could benefit the community pleaselet them know, or let us know and we can pass on the information.
|
|
Last Updated ( Thursday, 10 April 2008 )
|
|
|
|
|
Wednesday, 09 April 2008 |
Some great intelligence shared. Seems that the Bobax spam has some very unique and sig'able message-id fields.
If you block on these you ought to reduce the load on your spam filtering systems significantly. Load ought to be manageable even though it's pcre.
In the first one Bobax has a consistently long and setup message-id. It also uses a lower case d in Id, where the norm is all upper.
Here we have a predictable string in the message id, and the same lowercase d. The trailing info is usually caps
These will change over time of course, but they'll be good for a while. Please let me know how these fare! Be sure to pull sigs from the repository and not here, changes may not be reflected here in the future.
|
|
|
|
