Obviously at any holiday-ish time of the year the malware writers out there are going to package their warez in an appropriately named file. This time it's Christmas.e x e...
A reader wrote in and pointed us to an article over on f-secure. Check it out.
A nice quote from the article.
"We've just received a sample of something that's called CHRISTMAS.EXE. When run, this IRCBot variant will try to download various malicious executables from web servers at waiguadown.008.net and user.free.77169.net. As a decoy, it shows this Christmas-themed image... Obviously, a gift that keeps on giving. To be avoided."
It would pretty easy to write a Snort rule to catch these. You could do it one of many ways.. Look for the DNS request, look for the GET, so... have fun with those. If you'd like to write in with a couple examples, feel free.
Happy Holidays all!
/** Joel Esler **/
Dec 23rd 2006
1 decade ago