Tools:

• Razorback
• PE-Sig

Web Tools:

• SO Rule Generator

Mind Games:

• AWBO Exercises

Papers:

• Index

See also:

• VRT Blog
• Snort.org

Contact:

• Sourcefire VRT
  research @ sourcefire . com
• Other Methods and PGP Key

The following is a list of md5sums of malware samples which have displayed the behavior detected by SID 16861:

0089437e4ec6fad2e57a4a75aa98b0ba
02171d6abdc3f7dd3083271d6261bb55
04b427832bc4bd9605983f8336959ec2
072c8d56202bbd8803caca67038979f2
078f16f30389c3195d34157ca5fa6b83
080d689381924789358fa27956364baa
092eda53f5dfa159e295ba81d43223bd
0bceb57c4a3a43e05d8c7450abe12905
0ca670e0ed3601705ce60c09da94d272
0f4d9b05e1835080feb669fe0cada737
0f50e700beef502fb8ac8caf837f6e20
10b5c0ccaeaa66e753e8112dcab8cbf2
141b5fad11684ff7455e656c46619cab
144a8e8c80a8a629c8a1297c65d0658a
14a9faf18e3c40c6f114c0d1a7798c25
1613a874023aeb429e839d2d89819d0d
176b7fff95997f3adfe11daf4e1995e5
17c5b5a300ab186f08ef75ac4efb4645
180a8d1991c5dbbc01f883e5254fba0f
186fec06e66dc3aba6d4f73f1105499f
19bd33bf6a8920788d2affcf9a1d98d2
1a9994cbd5f593b9c5c43b45dbce3a54
1bde08e756fc29adb47c1fe682a8f3bb
1d4149f1b331338a7abf10e87c4397e3
1ec61977d71818754c9163b926d71679
202855f658124fa77114d22817a74faa
2039a5fb6769633143a8fffb25d7b994
20af08e9ed79a8d5ec1a8c5fdf8c27fc
2388033775a8ca405182171ce23391e7
2414d7c2389b663835e82044e52d8185
24dc43e36601ca4fa45f34f1b63e8c73
26fad71dc5f50695d94927dc4afa0dfd
283c758afa2e33c4db8dc601494ecad8
2a9ce7f7b69f7d41a2f8641693ec3aa1
2e56065d30520efc4fb570759fd0e4bc
32c8fe3f0fb636ecb8fc1a9f7f71c670
346b82db2e3aaa6da70607b76dae1af3
34fdba71dc02e7b45ede9349c00f4fc4
354c4108e6a563af655de386c5df132d
368ecc07afa4bb00ced2dfee295161ce
3b442f41bc4368bb8984a48d93dfea09
3c2ad6d0aa0e8a98f1d28e6e06791571
3d9c911901831cbd84fe578ccf3404a7
3f0d74011baef0bc96d4df799ea67394
42b333005904ae41f885cb3d0fda532a
44a197a2dd4ced5030e18d601f57b86a
4654301758a64438d9cd45dfa95821ad
492098062f67bc2495d347770224922b
4f806d132960681b36cd76bd0ab40652
4f8be34407256c05f14822497b2e6f3b
5520755953bf4fed7d9955396591da0c
5605cf585e7d996e8065d2f5b150dc97
58755390721372522b49dc53c7a501cb
58af12ca81bcd79302c9026872f59a85
590ea81dd96c1fb1cced89805e34039f
5970f3d982413e0f215623b5e44d9bef
5d18b58fb063ea285e8b1e866659c7cc
5ea761a1a24f5b21bcba861cd84292df
5f081a31e710f218b988cf09dacf6761
5f599c403dacfe9d52ea5c9eb9699802
6097e4335ff4360a30dee58eb94cf6ee
62a527f41abd8290e68a307c143aefa5
646053a521a9ecbbe970a8bdd38ca662
648418f6ee30ac4fb7e7d61d539bf6f4
65837266dc7dbfcdb9ffb3e1e8f85428
682911b9381833d692aa3bfdb622d4a9
68bc89d125e6604ff85d8e0a80e7adeb
6ab376d4e1a95ac07de3ee34e293d94a
6e657b7afa76c824d44968d2072a259c
7023fa4f5da56d766b3b27b7867bec71
716582a0c295b184743635b09fb516f0
7273f48d0e3c71061fe55ccc129e27ec
72e0d28bb63d2f6388078cc33b0b1921
732b7133caa9c960344e5c36e995d239
7ac8caba88b03319419c1ae99b246497
83f6ec7ad453b0905ea12c9ef1e32108
8749ee9d528b87e8da5cc38d44345d78
89031ab33523dcb6baf9dfd49a391275
898ad84494c01ddec63d67038762f84b
8a573999cde5a52d4522f5c3254855b3
8c1f1ad6c0bd403d9d21aecba2ed9ace
8e6dda9f80e8394538a8a670f4e7445d
9109412e906f9bbcef4d67deaf560840
955fe125d7bdcabaee03dd2a95ac373c
963ebee6f556ba72458d2204addf291b
974872ab1dc34632a5937287f9135cce
97e3ae1c5002a27eb3a2ecaa8d39cabb
9c43360e56ea8e535c5e55166639e41e
a10ce867c1b4d754b065e37561c6b89f
a223cd51617b5c077a1e20cd45ae3cce
a44d961470c38f4b46d70cb335055adb
a6d0872d17078f6c8e9ba66ce2b9e891
a7d4cc29a10ca1bc852c9ae078451b0c
a867ce9815a1e1d97538b60ad0d20c6d
ab8cdcd1434331701018f7e1f3fb52b2
ae0a2bb1d80e821869a30daa31326a88
b0397777bf69c7d90ae1b60d6c1bc9f1
b1cdea296ca5254f3d0816d385ac9d61
b82649de94abece348335a906df20a91
bb11d048276b30fdc2891ec6847ef6a0
bb8441e909adbfd304a5147e2769b694
bd156680fb4c4026254e2aee7c5b94bf
bd2f1d05ab0fec92b3f0eaa6c1b4c35c
bf5fb7e97a85116301e5dc009a44a56f
c2605bd5b4e86837fc40e6835a8d4876
c47460da7ce7624e66b6c3ebd2226025
c863fb6b00a736fbf3c2790f7098f5f6
d159804daa5df075ace81e4ca42bb9f0
d631a8915e9c43dc217d98c83f821dab
d7fd57fb29b741fb19e1c218f8571e11
d8437a9d31b7c2f108e0a172c7b14c3d
d9684a60bfe90226413f755963e4deec
dc2a0290e4d68e8a9fc1f405644c4830
ddcd030b670c527c1ccb5bf1a456c1f8
dfedff0dfe6c0d4cf08cf4f03aa19a1f
e06af06c1ec19982e9d0cf35071e1f58
e6c7aecba6667bce6f5e223c6bf46c3a
e7b34e87028e521ec67aba8f790e3cfa
e81bd3d134bee81410109de5726d1866
e83e45f804e4b3f6632ca1af5e951ba0
ebbe21933149e1ba445d72ee96c8bd19
ee0521620db3962e6196fe84a36ad43d
eee520afb542837081e3ddc776247176
f1be1a52b281faaddc191e538b508f43
f47798c21354caf4238474c802864461
f61f83c7148694f446d9a2c5042ea47d
f9cc027e45b69ca2f4a19042fe4c1abf
fb9cee450d5a749c4bbe799e48e71cdb
fcdebb6b9ff72d4977fd8603e8d823fa
fd70e539bdcf142ca75219f48a41ba12

('')

About the Sourcefire Vulnerability Research Team

The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

All materials contained on this site © Sourcefire VRT