Singnature to detect Flashback trojon

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Singnature to detect Flashback trojon

L0 Member

Does PA have a Singnature to detect Flashback trojon?

Thanks

Mike

1 accepted solution

Accepted Solutions

We have coverage on two fronts for this malware.  First, we have coverage for the 2 CVEs this has been known to use (CVE-2011-3544 and more recently CVE-2012-0507).  Coverage for these exploits have been included in content 300 and updated in 302.  These have also been patched by Apple Software Update for clients that are up-to-date.  Second, we will be releasing a command-and-control signature (13157) for the Flashback C&C network traffic in this Tuesday's content update, to detect already infected hosts on the network.

View solution in original post

8 REPLIES 8

Not applicable

I'd like to know as well. Haven't been able to find anything yet.  PA needs to release a signature ASAP due to the fact that most Macs don't run antivirus.

I hope is realeased soon as you said there are only few macs with AV

By the way Fsecure guys released a free app to check and remove Flashback

Best regards

We have coverage on two fronts for this malware.  First, we have coverage for the 2 CVEs this has been known to use (CVE-2011-3544 and more recently CVE-2012-0507).  Coverage for these exploits have been included in content 300 and updated in 302.  These have also been patched by Apple Software Update for clients that are up-to-date.  Second, we will be releasing a command-and-control signature (13157) for the Flashback C&C network traffic in this Tuesday's content update, to detect already infected hosts on the network.

>  we will be releasing a command-and-control signature (13157) for the Flashback C&C network traffic in this Tuesday's content update . . .

I cannot find this signature in my Vulnerability Protection Profile. Does any have a search term that shows this signature?

It's there.  Go to Objects / Security Profiles / Vulnerability Profiles, Create your own profile, go to the Exceptions Tab, click "show all signatures", and search for flash...

Capture.PNG

Hmm. That's what I did. But I'm not seeing any results. . .

flashback_search.jpg

You are in the vuln profile instead of the antispyware profile - dunno if that should matter (but it does when you search at threatvault where there are virus, vuln and spyware as three different databases for some reason).

It does matter.  Spyware signatures detect the network traffic for nasty things like Trojans, Botnets, etc.  The Vulnerability signatures are for vulnerabilities that exist within legitimate business applications. 

  • 1 accepted solution
  • 7105 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!