Tools:

• Razorback
• PE-Sig

Web Tools:

• SO Rule Generator

Mind Games:

• AWBO Exercises

Papers:

• Index

See also:

• VRT Blog
• Snort.org

Contact:

• Sourcefire VRT
  research @ sourcefire . com
• Other Methods and PGP Key

The following is a list of md5sums of malware samples which have displayed the behavior detected by SID 16858:

003b02a830ef63f3851ac5ea8adf79a1
075d7c55b530c8fa82ada742bb01e7ff
0778607ba5717a428768ad18ee0ebb86
0834b09cb34a841a7648f685ddcf74ca
0924e0e4f5dbed7826169d2fa0c01eac
092dd76a20d9ff284888ea6f2da1f07b
0caafdba0ed2ecd9bb71758ce945c559
0da3a0304f6f603bc1ea3750673a0599
0e0cd5042871ab600e1cc9744813c6df
0e82da04bf32d307ea8a8e313b7f4c9e
113553072835b69a13fb6ccc917714b6
1139afcedabc438bf4d82195289fccac
122c8117a33940243cae0f38b619bb08
136beb34092515200a6283a4b7823968
17946987e32f9659ec1223b93a2d232b
18b8fab974f7a570275d18a3206fe56e
1a141be7c73fccaae0f52c240d41f9d8
1d313b81bc492458f040348955257846
1da9bec1e22f82e43b1760742d4e68cc
1fb582a6bfa2e347bc98ce3672d14f80
20a22bc804d05ceaa2fa1c1dc5bca915
22ed63615d0a6048d56cdad8fdb08eb1
233acd9dfd279e3e71beb25a6ff5d209
23c002eb21b6a3e89fb82214990962ce
264b2861927a00cd9edd4dc38f428e56
26d0815a05b2db07f3cf79673b7c2c68
2a00820049070aed1a3d8eb1155b1731
2c76217d57f42a7e33ba3463e05f3f4b
2c9e4b551d2ab17ebc4504151fcc6bd2
2e80257f9c377301c1184a697271b8ad
2ea887490278b5b9189d260370490b36
2f719aaedfac5dce0775de3682d97138
2fb9679e8b1b9af35f9c668f2bf0aef0
30f1c65788a0b0539b850cc6ecbfae40
318b8fd498f9cf29346d9eb36d2eb4a6
31fa8db5ed5627011135bdeab2388b7c
35454f31c8cd012f53db865e95a9d216
35b0a17b9fa3ad3f9be9cb0dff611d01
3b1713fcb1c8bfba45cd996a7791f7f2
3b2269bb084cec0b29d2ec315f06fadb
3b872225bea2f419c00970c26fe2f60e
3ba436cfaffb085be1d7472fc155a866
3e74068e43e24db9185b3d1bf4050461
3fb6f2b07e58b85277c8752f989641fb
411bb8017481e1bc65c6d8d0cd04a562
413cd8c96c78e46bed7a701fc83d2c61
4261b17746f8105e174bc6af8368038a
4752192ef7ef16ba316576ba0aa1491d
4a868ea97348bcd0b15f92f1c8e7fb8a
4c07c53d1f6f1628d550270acbd22f2b
4e2d133c2ba95fe67752d63a54e6169a
4e5c075b2d2e40a120bec890fc3cef03
4ed9c59550a2fba41f9b2683b87705ed
5377ab1945d9a0423c08fa90536658f8
538a7ee1beb4449c60fd296c2ff68324
54e10241a86f2640f5800cc90214e5bd
56bc106d68fe684fb4e6b9dd87bb79c1
57119b16fc0f73a22ce7aa7d3966bdca
5965bff790763890bf6f9d45f2c944b4
5abe283154d15ac77e9ea0f079bbf7f2
5b1e199c44e8f19a6ebabd5a9a5679b2
6046ced18e6c962662b29c60462265a5
606a634419a7cef2081fbe299fcfe706
60d022029cf4e36720eef3fd71b47c79
61aad573f9b5b51d820e2048966f10f6
621d123c4751a8c0578c6212ff1d6a8c
631d5f7d705a833f19fa29eb17a90838
63e1046e6f499ba9f26ca07283837c3e
6446df7b359d9aee333098aed65af0b6
65d097b702a92705e42063e84dd5ab23
663557c09034ba15f24022cd326040b6
67b4a82b7fa52d50880be803014a2be1
67bf739913079d1babe0ce40436b4039
6828bee908c3612e1ebf9dc07cbcc5b3
7324cefc7c318464bfcc38a6cefeadb8
7515feea208c5058f5887cda4d7bd4f9
76cb678e27d34a172548d038bed69787
7886a3357ba097cb50dbbc482092a66f
7a1cf3bf2e0b639230968548aadafd5e
7a470bef239bec6f7b36154a5624565c
7ad4b5d1598395a734860bead5c32825
7d0f7dc34e68eb01a40bb4c73679ea1d
7e48a93acb320ffa5f1c8157d3bdac47
80899eb63f358e478a7f8481e764479c
84137cfaf6b6178af38f82709dd19186
84c7e503b45873c5a4a2588c2eddb8af
8782a8fe4995d42dab912b5c48e3c41f
8aa4229991e53afd043e16b7d4daa019
8ec64c12f1538ffc050a7e655f3b3786
8fc35052051b77d1f7f7765dd860b879
902f8410bbe5f0c222e7ba1f34656a5c
9114e9c29b044ed80110874326a5b747
93c7a9986e1b7aef4efef3532d67923d
947e793c27ad8c43c569b33df09e1814
94d08ddd938256c81ca742537ac42ea6
9a73c84228f5bfa5cdd4f2c07037df5f
a0bf49e5da67534ae41a2ea31a49dd0e
a1ed64b77fee4907c766e8df69fda7ed
a3c4c374930156a5289771b876b56fa7
a4223152df6f98aa874be794d01868b2
a8b02065470858ca5b64155cd07a486d
afe3a33b83aa0d9c7add30810a134687
b17437ea9cb6a73a65ad15af7d23b3f8
b1e5bf1c0260f188c320a36f3cdde50d
b582201e56a5ed1a1f2f85fd79b6e6ae
b78302faee1998c9a03e0a19a7d0ea48
b8469f12ea460149ad5a574b001b5fef
b8db2e57e2c382cba0b27e9cbcaee0ec
ba2e57567993a6da9476961be24deb9d
bab9f05ebfb83fb0b1e99c5681eb1f09
bc9d89d6f107844f764df2121a4d4975
be1dd79307b980e8cce73dffbcdd634b
bf80ca827d909bb9fa50a08f9a753785
c6c9bd6f4b8f666a4ca6ceecb0b8ec1a
c7d4c8fe20f72f45c54a5ef860531e9e
c8197185097c94bfa90d3930d2c86de1
cc6ecf5211d96905d07d7fb54e94a5c4
cca577c6ae13987f814689f02279d297
ceed0cafb36236ae765da9b2602cf600
cef89cf5f2923066102e0d647932f419
cff6b5420319e79823a7d91ad2250e43
d13f9e5776a79716621649f11c8a2f69
d1739d239ec91aae824638fd59664cb4
d43a9f750c4bb7d1864be867766c63db
d455239e8f1539a0aae3051dea3e282f
d5120194b427471e28acc9dad5fbbcff
d642cbbe6f374ab2f1db85af9196fe25
d7001ef032a8f97ffb9f2d5a7a6acca8
d78ac8b706ab7964d3adc095d8c6be9a
da1df122563e0740fa1193b46eb8e72e
ddefaec0fae78f32b3557abdce4c5be7
e59d0a3beb27f8b02f9c2a94d5220243
e715977ad6477f835be5cc50ccd5f0c1
ea0c801849bdc605c53d6a71c38d37dd
ea500c302e90234470080fcb90aeb60a
eaa36bd56b3b0861de83a198dca33571
ec3a7703a03a31b900b7289dfce188b0
ec57dab8b6a2b6fd2d37a9870ca531d7
ec9a25f22dfe2c06f3a376c773e99947
ed1e188690f1b59db46ba72a86dda652
ee9a31df9867d49ef77e2a32219a5dab
eefd875eba90be73ef13cb0581a272cf
f048bcaef2fd2b869709fa4c0a39b157
f323b24ad743fa68474e8cc560a92a47
f37f0dc7e203e6fdfb30bf3b30a93c7b
f6078a5f5f3d1f7c3392c3a98b7d1317
fa17b554c680858d6c5851728cefdfb3
fb72b28147e07bce7528a5288ff234c1
fbfc75a369957a443f316ab203237bab
fce4a487a8bf4700b7b7572b5131409f
fe0f9bad2aa19618186b984d86ec82cb
fe4f21b8d902cbec4672fe145a6b95d7
fe50c52d86581033d46ba914d7a4b3da
ffc645ebbdfce9155cefa7e5eea1160b

('')

About the Sourcefire Vulnerability Research Team

The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

All materials contained on this site © Sourcefire VRT