Jaime Blasco Blog

Tomorrow Conficker will activate a P2P system to coordinate to other infected machines over TCP and UDP, we've published a directive to detect the P2P behaviour.

Donwload Directive

I'm glad to announce a new feature we have added to forensic console. We use libemu to make shellcode detection and analysis to help on forensic analysis and reduce false positives, an example:

I've just update the public CVS with some new directives as part of the effort we are doing to improve the upcoming installer:

Possible Successful Attack: Reverse Shell Access to the System

Possible POP3 Bruteforce against SRC_IP

Possible FTP Bruteforce against SRC_IP

Command execution against webserver on DST_IP

File /etc/passwd access on DST_IP

Possible SQL injection attempt against DST_IP

Possible attack against DST_IP (Symantec Remote Management RTVScan Exploit)

Possible sa account bruteforce against SRC_IP (SQL Server)

Possible VNC bruteforce against SRC_IP

Possible attack against DST_IP (Microsoft Server Service related attack)

Too many Cisco Firewall dropped events with destination DST_IP

Possible Worm Infection against DST_IP

Possible Worm Infection against DST_IP via DCOM RPC vulnerability

Possible Worm Infection against DST_IP via Kill-Bill ASN1 vulnerability

Possible Worm Infection against DST_IP via Lsasrv.dll RPC vulnerability

Possible Worm Infection against DST_IP via WINS vulnerability

Possible attack against DST_IP (Microsoft Server Service related attack)

Possible worm scanning behavior on port DST_PORT

Username gathering at SMTP server DST_IP