Does anyone have rule ideas for detecting this CVE. I have searched for extension=swf but that as i am sure you guessed was to broad. Since this is in the wild any help you could provide on this one would be great.
What tools are you using for detection, strictly NetWitness? This exploit can be served up several different ways, and I doubt in the wild it will always be seen as a .swf. I've heard that it comes in a .docx carrier file as well.
Best bet would be to get your hands on several samples to really know what you're looking for. If you have ECAT, you could also cook up a Yara rule for host based detection.
One of the best ways is to look for the C&C servers mentioned in the paper. We have seen one of the hosts, www.mobilitysvc.com, used in malware back in September. The 0day report does not mention MD5s, which would be much more helpful.
Add these hosts to a feed of known C2s and you might be okay-