Tools:

• Razorback
• PE-Sig

Web Tools:

• SO Rule Generator

Mind Games:

• AWBO Exercises

Papers:

• Index

See also:

• VRT Blog
• Snort.org

Contact:

• Sourcefire VRT
  research @ sourcefire . com
• Other Methods and PGP Key

The following is a list of md5sums of malware samples which have displayed the behavior detected by SID 16865:

0102e0c5db8732d74a2675c05b8dbe04
02b1065401f9c3e67c480498c57e6b26
09198d9e8a58f70a8be70b99aa2373c5
0b6d8bafb0d4f62db3a2fd1203d645d4
0cbd61ad6ec1ab8bba39e2c17e9a6a19
0d51272273c8daf67804bccb40cb03fc
126ad874ca9a4f60b850d07961068ff6
15b8781ff68a3f21396cc0e7a42fd07d
162a8dce3bfbdb2a3c4445837f899995
1b5e42e80a5febbd966f16bcfd0074c5
1eb12fa737d4364fd4142853631010b7
20019870dca08c6b92b5b956aa7ed303
20a93beb4dbf61ff43cc523ace7d6b1e
20ee9ca62ed38c69bdcccc978d061935
21c10aa5c4a3c98cd42604a6e5887714
228d9c801dd5b1e97ba580e67d588fdd
2657439bd4aad607ea3ed13428f8de63
314bb8c58976acedbd2887656249cae8
344d12a8c6b54f866fc7515912f46373
345a84dc7445b40934d510a8fa0bf021
351d51c64d3e2e58685b704a11ba2c59
366f9c3734a5de9e8e6ad239bbedb313
39dc263ee8bcb786ee4bcdf8ed1a7543
3a3493750814e781a6e7acc50d33ce82
3beec2b8b93a46ca1053fd9c82bb9fe9
3bf87f8f7004cd8b681c41a0c09b8456
3d28a0a3dc7296047b7a14f1175cafd2
3ebdc9d600086f4f9fb001c4dabb2477
3f33320bc89fafa81a1cb684b2d2e7ba
42c4b464146bbebaf91027808b46ad93
464098c7036d530b053e118988a5ed5d
470cf63ee1d4d8110bf4abf2e8c0de34
48531095273e00121efab28e7c5b0731
48e13d1e5de60be8a8a478205dc2f9f8
49562a2d6fcb052a1d99f408743bc1d0
495879a7741eb91bf63e965dbc4e7e24
49a7cccf623eee4ada8e6a6b77774a40
4ac32c3dd86c1315030c487fbca39dac
4b5f840d0381c90787577aec69ea7495
4bc6541b4e402f73462ad8ce139146b6
4d33aefd964e94228f803bfd3ef927b9
4e9f6cb6dedeac976c0b65505079ab8b
5343d3ef60985d344ab219b450c876dd
578d0bc1cb16a3755e689457ad4fae6c
5799f9986f9d40c30474b48b8aa15956
5aa8050346a7de4edaa6157087d6b9b9
5ba6751c906c19433736f134907f73a7
5be8ccf7d9b36e158dc7863dfedd5155
5f7c7bd0399a7e791f6eae9ad94cd846
601092712e6d163445c9ac2dfa2f055c
60d1bd35b56f43634be6b024ad9f9e1d
633b2c6b0d440b7c69dc7a7c62ff7b7f
63e15012f18d8e0d23e98fa4268d548b
655f55a02a1450233a776fc6f00553c5
66207da564889ba7a053c537703d891c
66ebd73e9cdecc725649bbe5a812ac71
67ce89e93abf3d5ba5e41ca6c9b2a3ec
688d1cd597d682886cfb51e46cfc73a5
68f5732dd5f9ceacf1452e3de090843f
6daa059f7a57aef7cfb292b4da9dc901
6dae1c92d350a66a6d9fee23741afa66
7373de0b152964aac9aadcb37399479a
74b976903d84a0baa48c11533c23073e
782f854cdc29b0b888e27de4ea6b059e
7c3bef5bf3c2d40a031def86200bb75b
7cfe28cb9d5fff6c7b98f0734410c05c
7d1ba084e1a889a58862b27c4229488e
7d2e50e418880f4e50cdadb6dd6a3c85
7fa069a2d6adfb074081363d68129fc8
810b3460b30c5f8560311096a4b7c3e2
83227b593f7b95b0be3ac41c61397649
84000410d0e8334d46621daa7193f09b
869830c5b1299976979dd718afb694a6
8842c1de05982f97cbd905d3094ad699
8a690de210d84143b63b87e1347382b3
8a7bacca2cc8ead91359c847e5b5ece1
8bb1ecbf53dcec517602cb99522c4bd0
8f774e4eb1778d16b974f715072c5e36
9189716858752e9fd3cb8cfc962e1365
949c28c1cac49d666832a0b0e0c2cacb
9a745dae407237394e2f8e4ca2d169b3
9b563668ae8f2b6baf7b5a929228c8f8
9c1b5ea2d357a009058e6599adc5919e
9e9182e40e21098f5a77fd6d8c9f2588
9ee9f7949a0413802f883a1449fcab2b
9fed8e8248b2d8269d83932a2a55ccfc
a01ea82937ae94a511ea96fbd7bbb4b3
a29226ce9cfcae669c1f1148c9f0900a
a399bc6e9fc585de0340a77913f076a3
a511027e205a89ba0779962feaaa3c36
a5510dd628d4a493482328167872959f
a5786cdf17d8cc044bafc911c47593b4
a743462fdceb773a2d26c452a2189218
a949d0d9bce30b167db5dad70d6cbe49
ac91e621ccdb99b4687d90e69d1f5cb6
ad445ecfa35eb533d29c2830d11abf51
ae2f9d30fb4e8effb51d8dbc255ff961
af28e01e16a014bf13f2c7880ee1196f
b1dc9d937faa21618a99c5707bfa9d8b
b1de5e25bc11717247d74c76cbf82267
b3b60ed064e3e2b737c522a055634461
b4daaa014748722e2468bb676be52860
b552d567154bfa7ad9f61748cdc40723
b66340a7b8a2b85fa3e1b7741252d1af
bb532ed585b182678574c064c9030606
be06446189eccd64baae23b12986eb47
bece843f0084fa65a469ca0be1ad37f2
c0c4c10c05b9d36450fad26529c228b9
c913f971e2c5360590d2be53d8e69ec4
cc87ce557bdc69b48fdda1b6e5395673
cf00e70b891ae81292bf78620655a05a
cff744dedafda5c367257e5e3c9659ed
d06713c310ac391e598d3ece1f20f9d2
d0c403b9ecebd6d58f99d81eec1aacb3
d16c6225b95600e446d10019c245a5cb
d3c9f9cbce04fd96d842ed80a40b1744
d41f87e1202ce4dd2a6c9e7bc32438ab
d49347291badc6c5924a32f8859303dd
d5966c98d94eef6338fe4ba75f7645af
d7758ce83eeb3140051e0807f41e87a8
d8690441a62abcfc89d1316e5147bd1b
d93ca6ee4d3e10d872d4990596f7559c
dbe5a2f38adbb1ce75ed615012d42529
dfaeb6262398d8c24d59a3991c3b5194
dff9b42316ac204569d846b108f747af
e034df49979cfd8e50fd4aac1912fc52
e1ba13c9a21a96495ad472d14d1dbf50
e1cea9ee99ef81fdef7cb855a28958d4
e68c9609c8d456098af790efeaafe498
e6d52dd3bf759af5c738aa6a7ac80fa3
e73573e77bd6854402dfd9dcab5ff9c7
e7f605a4f15edac61407fa9ee17e6638
ed90ffd5b656fb1042072d180a2f8415
eea9ce494a726ca7f60ea8f20f8afc22
f02899f59c6e5e2aff9171a476b388c0
f080325f9b76726515c6903448bacc45
f130801b33a10338f1eff9326648dbfa
f24bf2fd79f89dddc263c818ce8d759f
f4a37b76b2c2b37339871e41de2b74d4
f5a68a1f7db1aa29fb4ffbc05c795f55
f6ad2b62d2dbab953bc3cd3c009e4aa2
f8af98d380b9e381166498b2dd4b8a10
f8fdbb4331e8d64623116afa805a5688
f9e9d1f15d77db2ac71673aee391b4f1
fd525ffc379fb21f28dcff04518cd411

('')

About the Sourcefire Vulnerability Research Team

The Sourcefire Vulnerability Research Team (VRT) is a group of leading edge intrusion detection and prevention experts working to discover, assess and respond to the latest trends in hacking activity, intrusion attempts and vulnerabilities. This team is also supported by the vast resources of the open source Snort community, making it the largest group dedicated to advances in network security industry.

All materials contained on this site © Sourcefire VRT