Full Disclosure mailing list archives
Re: Sobig has a surprise...
From: Joe Stewart <jstewart () lurhq com>
Date: Fri, 22 Aug 2003 16:24:07 -0400
On Friday 22 August 2003 03:19 pm, Florian Weimer wrote:
18 of 20 addresses where known to the AV community since Tuesday. I don't know what F-Secure is doing here. Why don't they publish the list of IP addresses so that people can put filters on their networks?
67.73.21.6 68.38.159.161 67.9.241.67 66.131.207.81 65.177.240.194 65.93.81.59 65.95.193.138 65.92.186.145 63.250.82.87 65.92.80.218 61.38.187.59 24.210.182.156 24.202.91.43 24.206.75.137 24.197.143.132 12.158.102.205 24.33.66.38 218.147.164.29 12.232.104.221 68.50.208.96 alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"Sobig Trojan Site Download Request"; content:"|5c bf 01 29 ca 62 eb f1|"; dsize:8; reference:url,www.lurhq.com/sobig-e.html; classtype:trojan-activity; sid:1000021; rev:1;) -Joe -- Joe Stewart, GCIH Senior Security Researcher LURHQ Corporation http://www.lurhq.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Sobig has a surprise... Joe Stewart (Sep 10)