Re: Sobig has a surprise...

[Joe Stewart <jstewart () lurhq com>]

On Friday 22 August 2003 03:19 pm, Florian Weimer wrote:
> 18 of 20 addresses where known to the AV community since Tuesday.  I
> don't know what F-Secure is doing here.
>
> Why don't they publish the list of IP addresses so that people can put
> filters on their networks?

67.73.21.6
68.38.159.161
67.9.241.67
66.131.207.81
65.177.240.194
65.93.81.59
65.95.193.138
65.92.186.145
63.250.82.87
65.92.80.218
61.38.187.59
24.210.182.156
24.202.91.43
24.206.75.137
24.197.143.132
12.158.102.205
24.33.66.38
218.147.164.29
12.232.104.221
68.50.208.96

alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"Sobig Trojan Site Download 
Request"; content:"|5c bf 01 29 ca 62 eb f1|"; dsize:8; 
reference:url,www.lurhq.com/sobig-e.html; classtype:trojan-activity; 
sid:1000021; rev:1;)

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation
http://www.lurhq.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html