|
Full Disclosure
mailing list archives
Re: Sobig has a surprise...
From: Joe Stewart <jstewart () lurhq com>
Date: Fri, 22 Aug 2003 16:24:07 -0400
On Friday 22 August 2003 03:19 pm, Florian Weimer wrote:
18 of 20 addresses where known to the AV community since Tuesday. I
don't know what F-Secure is doing here.
Why don't they publish the list of IP addresses so that people can put
filters on their networks?
67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96
alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"Sobig Trojan Site Download
Request"; content:"|5c bf 01 29 ca 62 eb f1|"; dsize:8;
reference:url,www.lurhq.com/sobig-e.html; classtype:trojan-activity;
sid:1000021; rev:1;)
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
 By Date 
By Thread
Current thread:
- Re: Sobig has a surprise... Joe Stewart (Sep 10)
| 
Intro
