SHELLCODE: Shikata Ga Nai Encoder Routine Over TCP-CTS
This signature detects payloads being transferred over network that have been encoded using Shikata Ga Nai encoder routine. This may be an indication of someone trying to evade anti-virus/IPS solutions and possibly drop malicious code.
Extended Description
Stack-based buffer overflow in Eureka Email 2.2q allows remote POP3 servers to execute arbitrary code via a long error message.
Affected Products
Eureka-email eureka_email
References
CVE: CVE-2009-3837
URL: http://www.admin-magazine.com/Articles/How-to-Hide-a-Malicious-File http://www.rapid7.com/db/modules/encoder/x86/shikata_ga_nai http://www.immunitysec.com/documentation/vs_niprint.html http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow http://aluigi.org/adv/winlog_1-adv.txt http://www.us-cert.gov/control_systems/pdf/ICSA-11-017-02.pdf http://www.s3cur1ty.de/m1adv2012-001 http://www.sielcosistemi.com/en/download/public/winlog_lite.html http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02498535
Short Name
SHELLCODE:WIN:SHIKATA-GANAI-CTS
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
SHELLCODE
Keywords
CVE-2004-1211 CVE-2009-3837 Encoder Ga Nai Over Routine Shikata TCP-CTS
Release Date
06/06/2013
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3336
Port
TCP/0-79,81-442,444-3127,3129-7999,8001-8079,8081-65535
False Positive
Unknown
Vendors
Eureka-email
CVSS Score
9.3
10.0