Blog for hpHosts, and whatever else I feel like writing about ....

Monday, 6 July 2009

IE 0day exploit domains

This diary entry contains a list of domains that are exploiting the new IE-0day as well as secondary domains that are hosting potentially malicious binaries utilized in these attacks. This list has been produced as a combined effort of researchers, vendors, and volunteers. You can thank the groups below for their efforts and their willingness to share this information with the public. This list is intended to serve as a quick way to provide protection against these attacks by identifying domains that are hosting these (and potentially other) exploits. This list is not formatted for any specific file format, it is up to you the reader to translate this date into the proper formatting that your environment requires.

** In regards to IDS/IPS signatures, I would highly suggest looking for the malformed file vs trying to catch every permutation of the JS/Html seen. Emerging threats has a signature that looks for the malformed file, it can be found in their main rules file. 2009493 - ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit (emerging.rules)


Read more
http://isc.sans.org/diary.html?storyid=6739

No comments: