TMS zl Module IPS/IDS Signature Reference Guide RLX.10.2.2.94
ProCurve TMS zl Module IPS/IDS Signature
Reference Guide Version RLX.10.2.2.94
978
where an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function,
"NetPathCanonicalize".
Signature ID: 35599
Downadup/Conficker Worm Windows Server Service - MS08-067 vulnerability
Threat Level: Severe
Industry ID: CVE-2008-4250
Signature Description: Win32 Downadup/Conficker is a worm that propagates via removable drives, via network
shares, and by exploiting a vulnerability in Windows Server Service, known as MS08-067. It does not spread over
email or the Web, but if an infected system is connected to the corporate network, it will be immediately scan the
network looking for non patched machines of Microsoft MS08-067. It will infect the machine silently and begin
spreading to other servers. This sleeper virus could allow the hackers to steal financial and personal information for
more than eight million computers. when the external attacker tries to share inbound system through SMB Access
through port 445 via "IPC$". It brute forces Administrator passwords on local networks and spreads and infects
removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.
The autorun.inf file may contain lot of garbage data about 60 kb of random binary data. This may fool some Anti Virus
programs so they can't scan for the device properly to pick up the referenced DLL stored on the device. It also attempts
to block running applications from accessing security websites. The system got infected with the worm starts an HTTP
server on the affected system by opening a random port. This allows a copy of the worm to be downloaded by systems
vulnerable to MS08-067 from various malicious external attackers domains. This signature will trigger when the
external attacker tries to compromise the system through Server Service Remote Procedure Call (RPC) handling, where
an attacker could perform a stacked-based buffer overflow by sending a request to a vulnerable function,
"NetPathCanonicalize".
Signature ID: 35600
Yahoo Messenger 8.1 ActiveX Remote Denial of Service Attack
Threat Level: Warning
Industry ID: CVE-2007-6228 Bugtraq: 26656
Signature Description: Yahoo! Companion is a personalized browser toolbar that allows you to access bookmarks,
links to Yahoo!, and other features from any personal computer with the software installed and an Internet connection.
Yahoo Messenger 8.1 and prior are vulnerable to stack based buffer overflow vulnerability. This vulnerability is caused
due to improper bounds checking by the c() method. By persuading a victim to visit a malicious Web page, a remote
attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.No remedy
available as of July 13, 2008, user can set killbit to the clsid 02478D38-C3F9-4EFB-9B51-7695ECA05670 to resolve
this issue.
Signature ID: 35601
Yahoo Messenger 8.1 ActiveX Remote Denial of Service Attack
Threat Level: Severe
Industry ID: CVE-2007-6228
Bugtraq: 26656
Signature Description: Yahoo! Companion is a personalized browser toolbar that allows you to access bookmarks,
links to Yahoo!, and other features from any personal computer with the software installed and an Internet connection.
Yahoo Messenger 8.1 and prior are vulnerable to stack based buffer overflow vulnerability. This vulnerability is caused
due to improper bounds checking by the c() method. By persuading a victim to visit a malicious Web page containing
hex encoded data, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the
application to crash.No remedy available as of July 13, 2008, user can set killbit to the clsid 02478D38-C3F9-4EFB-
9B51-7695ECA05670 to resolve this issue.