This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

CVE-2014-0497 Help

Anonymous
Not applicable

‎2014-02-07 11:00 AM

Does anyone have rule ideas for detecting this CVE.  I have searched for extension=swf but that as i am sure you guessed was to broad.  Since this is in the wild any help you could provide on this one would be great.

 

Phil

0 Likes
2 REPLIES 2

RSAAdmin
Beginner
Beginner

‎2014-02-12 11:40 AM

Phil,

 

What tools are you using for detection, strictly NetWitness?  This exploit can be served up several different ways, and I doubt in the wild it will always be seen as a .swf.  I've heard that it comes in a .docx carrier file as well.

 

Best bet would be to get your hands on several samples to really know what you're looking for. If you have ECAT, you could also cook up a Yara rule for host based detection.

 

Jared

0 Likes

RSAAdmin
Beginner
Beginner

‎2014-02-12 01:06 PM

One of the best ways is to look for the C&C servers mentioned in the paper.  We have seen one of the hosts, www.mobilitysvc.com, used in malware back in September.  The 0day report does not mention MD5s, which would be much more helpful.

 

Add these hosts to a feed of known C2s and you might be okay-

 

sales.eu5.org

www.mobilitysvc.com

javaupdate.flashserv.net

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.