SHELLCODE: Shikata Ga Nai Encoder Routine Over HTTP-STC
This signature detects payloads being transferred over HTTP protocol that have been encoded using Shikata Ga Nai encoder routine. This may be an indication of someone trying to evade anti-virus/IPS solutions and possibly drop malicious code.
Extended Description
Microsoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2014-1773, CVE-2014-1783, CVE-2014-1784, CVE-2014-1786, CVE-2014-1795, CVE-2014-1805, CVE-2014-2758, CVE-2014-2759, CVE-2014-2765, CVE-2014-2766, and CVE-2014-2775.
Affected Products
Microsoft internet_explorer
References
BugTraq: 38613 68101 49924 36881 45246 34363 35759 13120 12881
CVE: CVE-2009-1862
URL: http://www.admin-magazine.com/Articles/How-to-Hide-a-Malicious-File http://darkmatters.norsecorp.com/2015/02/24/in-memory-shellcode-detection-using-a-patterns-based-methodology/ http://aluigi.altervista.org/adv/esignal_1-adv.txt http://security.inshell.net/advisory/30 http://secunia.com/advisories/48740/ http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20 http://www.trapkit.de/advisories/TKADV2008-011.txt http://www.videolan.org/security/sa0810.html http://www.mplayer-ww.com/eng/ http://aluigi.altervista.org/adv/cytel_1-adv.txt http://aluigi.altervista.org/adv/w32dasmbof-adv.txt https://www-304.ibm.com/support/docview.wss?uid=swg21586166 http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/vmsBtDownloadManager.cpp?r1=11&r2=18 http://freedownload.svn.sourceforge.net/viewvc/freedownload/FDM/Bittorrent/fdmbtsupp/vmsBtFileImpl.cpp?r1=9&r2=18 http://secunia.com/secunia_research/2009-5/ http://downloads.securityfocus.com/vulnerabilities/exploits/33555-SkD.pl http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-011-orbital-viewer-orb-buffer-overflow/ http://www.scadatec.com/ http://service.real.com/realplayer/security/12202013_player/en/ http://seclists.org/fulldisclosure/2010/dec/110 http://sunsolve.sun.com/search/document.do?assetkey=1-66-270474-1 http://www.zerodayinitiative.com/advisories/zdi-09-076/ http://www.zerodayinitiative.com/advisories/zdi-12-093/ http://www.symantec.com/security_response/vulnerability.jsp?bid=53848&om_rssid=sr-advisories http://technet.microsoft.com/en-us/security/advisory/2794220 http://securitytracker.com/id?1027930
Short Name
SHELLCODE:WIN:SHIKATAGANAI-80S
Severity
Critical
Recommended
False
Recommended Action
Drop
Category
SHELLCODE
Keywords
CVE-2004-1049 CVE-2005-0399 CVE-2005-0553 CVE-2009-1862 CVE-2010-3971 CVE-2012-1876 CVE-2012-4792 CVE-2014-2782 Encoder Ga HTTP-STC Nai Over Routine Shikata bid:12881 bid:13120 bid:34363 bid:35759 bid:36881 bid:38613 bid:45246 bid:49924 bid:68101
Release Date
06/07/2013
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3761
False Positive
Unknown
Vendors
Microsoft
CVSS Score
9.3