Agent Alt hits

Thread: Agent Alt hits

Search this list only Search all lists
Agent Alt hits
	2007-10-16 08:15:41
The wiki on http://doc.bleedingthreats.net/bin/view/Main/Win32Agen tALT has links to four rules, but the links all point to the same location. I didn't want to just start editing it in case it was like that for a reason. The wiki also mentions flowbits on the rules, but I don't see any flowbits in the actual rule definitions. Is this an oversight or is it just a design item that turned out to be unnecessary? The rule for 2007591 is hitting lots of malware check-ins, and they look like good hits. Nice hits. jp ------------------------------------------------------------ ---- fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentse curity.com _______________________________________________ Bleeding-sigs mailing list Bleeding-sigsbleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs

Re: Agent Alt hits - Followup
	2007-10-16 11:18:54
Quoting Jack Pepper <pepperjackafferentsecurity.com>: > > The rule for 2007591 is hitting lots of malware check-ins, and they > look like good hits. The hits do not look like Agent.Alt infections. They appear to be counters for the Revenue Science BHO application. Are other people seeing these? I am seeing these at all of my sites, in some cases thousands of them. jp ------------------------------------------------------------ ---- fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentse curity.com _______________________________________________ Bleeding-sigs mailing list Bleeding-sigsbleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs

Re: Agent Alt hits - Followup
	2007-10-18 00:03:27
Can you share a packet? Jack Pepper wrote: > Quoting Jack Pepper <pepperjackafferentsecurity.com>: > >> >> The rule for 2007591 is hitting lots of malware check-ins, and they >> look like good hits. > > The hits do not look like Agent.Alt infections. They appear to be > counters for the Revenue Science BHO application. > > Are other people seeing these? I am seeing these at all of my sites, in > some cases thousands of them. > > jp > > > ------------------------------------------------------------ ---- > fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentse curity.com > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigsbleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs -- -------------------------------------------- Matthew Jonkman Bleeding Edge Threats US Phone 765-429-0398 US Fax 312-264-0205 AUS Phone 61-42-4157-491 AUS Fax 61-29-4750-026 http://www.bleedingthr eats.net -------------------------------------------- PGP: http:/ /www.bleedingthreats.com/mattjonkman.asc _______________________________________________ Bleeding-sigs mailing list Bleeding-sigsbleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs

Re: Agent Alt hits - Followup
	2007-10-18 07:19:09
Quoting Matt Jonkman <jonkmanjonkmans.com>: > Can you share a packet? > Sure, a couple thousand if you like .... Agent ALT analyis (for the period 10/15/073am - 10/16/073am) 209.249.142.9 -> 10.10.1.12 TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress 4.71.104.187 -> 10.40.32.206 TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress 64.154.81.197 -> 10.40.34.86 TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress 64.154.81.197 -> 10.70.50.85 TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress 64.154.82.224 -> 10.40.33.76 TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress 64.154.82.72 -> 10.40.34.23 TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress 168.75.68.97 -> 10.40.33.235 TROJAN Win32 Agent.ALT C&C Checkin Connection in Progress so of the 'outside' hosts, what are they? 209.249.142.9 -> "Revenue Science Corporation". Targeted marketing firm, sells software to the online marketing industry, including browser helper objects, among many other products. 4.71.104.187 -> "QuestionMarket.com" a known distribution site 64.154.81.197 -> "HitBox Server" is a known "utility service" for counters 64.154.82.224 -> Another "HitBox Server". 168.75.68.97 -> "Clear Blue Technology". Hosting Company. Could be anything. 64.154.82.72 -> Another "HitBox Server". Let's take it apart, starting with the "unknown" host at "Clear Blue" (168.75.68.97): 08:12:34.769889 IP 168.75.68.97.80 > 10.40.33.235.1967: P 3140372189:3140372199(10) ack 2462837258 win 12600 0x0000: 4500 0032 0825 4000 3506 24e2 a84b 4461 E..2.%.5.$..KDa 0x0010: 0a28 21eb 0050 07af bb2e 46dd 92cb ea0a .(!..P....F..... 0x0020: 5018 3138 98aa 0000 0001 0000 0202 4401 P.18..........D. 0x0030: 003b .; 12:19:58.344071 IP 168.75.68.97.80 > 10.10.1.178.4451: P 2859405698:2859405708(10) ack 1856371176 win 7560 0x0000: 4500 0032 622b 4000 3506 eb32 a84b 4461 E..2b+.5..2.KDa 0x0010: 0a0a 01b2 0050 1163 aa6f 1182 6ea5 f9e8 .....P.c.o..n... 0x0020: 5018 1d88 1d60 0000 0001 0000 0202 4401 P....`........D. 0x0030: 003b .; 13:32:36.240369 IP 168.75.68.97.80 > 10.40.32.181.4079: P 3677760917:3677760927(10) ack 383641718 win 11040 0x0000: 4500 0032 2e69 4000 3506 ffd3 a84b 4461 E..2.i.5....KDa 0x0010: 0a28 20b5 0050 0fef db36 2d95 16dd e876 .(...P...6-....v 0x0020: 5018 2b20 0e7b 0000 0001 0000 0202 4401 P.+..{........D. 0x0030: 003b .; 16:39:06.129241 IP 168.75.68.97.80 > 10.40.34.29.3199: P 979095712:979095722(10) ack 2179211625 win 11040 0x0000: 4500 0032 d0fb 4000 3506 5bd9 a84b 4461 E..2...5.[..KDa 0x0010: 0a28 221d 0050 0c7f 3a5b d0a0 81e4 2169 .("..P..:[....!i 0x0020: 5018 2b20 6a59 0000 0001 0000 0202 4401 P.+.jY........D. 0x0030: 003b .; 16:39:36.999439 IP 168.75.68.97.80 > 10.40.34.29.3214: P 3429252465:3429252475(10) ack 2313734872 win 11040 0x0000: 4500 0032 933e 4000 3506 9996 a84b 4461 E..2.>.5....KDa 0x0010: 0a28 221d 0050 0c8e cc66 3d71 89e8 cad8 .("..P...f=q.... 0x0020: 5018 2b20 b9fa 0000 0001 0000 0202 4401 P.+...........D. 0x0030: 003b .; So we do have multiple hosts on the inside network talking to this same address. Do a nslookup on js.revsci.net: js.revsci.net canonical name = js.lb-revsci.net. Name: js.lb-revsci.net Address: 168.75.68.97 Name: js.lb-revsci.net Address: 206.191.161.97 Name: js.lb-revsci.net Address: 209.249.142.9 Name: js.lb-revsci.net Address: 209.249.142.97 Name: js.lb-revsci.net Address: 38.96.134.241 The domain "revsci.net" is of course owned by Revenue Science. This host, 168.75.68.97, is a "tracking data" collection site. In this other case, we caught the download of the browser helper object, downloaded from the same site at "clear blue": 14:01:03.659262 IP 10.40.33.22.3736 > 168.75.68.97.80: P 3489417517:3489418851(1334) ack 3701690791 win 65535 0x0000: 4500 055e 0470 4000 7f06 da3f 0a28 2116 E..^.p....?.(!. 0x0010: a84b 4461 0e98 0050 cffc 492d dca3 51a7 .KDa...P..I-..Q. 0x0020: 5018 ffff 9fc0 0000 4745 5420 2f63 6f6d P.......GET./com 0x0030: 6d6f 6e2f 7063 782e 6a73 3f74 6d70 6c3d mon/pcx.js?tmpl= 0x0040: 6164 3326 6373 6964 3d43 3035 3530 3326 ad3&csid=C05503& 0x0050: 6b6f 3d32 3030 375f 3130 5f31 355f 5f31 ko=2007_10_15__1 0x0060: 2048 5454 502f 312e 310d 0a41 6363 6570 .HTTP/1.1..Accep 0x0070: 743a 202a 2f2a 0d0a 5265 6665 7265 723a t:./..Referer: 0x0080: 2068 7474 703a 2f2f 7777 772e 6b63 7476 .http://www.kctv 0x0090: 352e 636f 6d2f 696e 6465 782e 6874 6d6c 5.com/index.html 0x00a0: 0d0a 4163 6365 7074 2d4c 616e 6775 6167 ..Accept-Languag 0x00b0: 653a 2065 6e2d 7573 0d0a 4163 6365 7074 e:.en-us..Accept 0x00c0: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip, 0x00d0: 2064 6566 6c61 7465 0d0a 4966 2d4d 6f64 .deflate..If-Mod 0x00e0: 6966 6965 642d 5369 6e63 653a 204d 6f6e ified-Since:.Mon 0x00f0: 2c20 3135 204f 6374 2032 3030 3720 3138 ,.15.Oct.2007.18 0x0100: 3a34 323a 3132 2047 4d54 0d0a 5573 6572 :42:12.GMT..User 0x0110: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f -Agent:.Mozilla/ 0x0120: 342e 3020 2863 6f6d 7061 7469 626c 653b 4.0.(compatible; 0x0130: 204d 5349 4520 362e 303b 2057 696e 646f .MSIE.6.0;.Windo 0x0140: 7773 204e 5420 352e 313b 2053 5631 3b20 ws.NT.5.1;.SV1;. 0x0150: 4675 6e57 6562 5072 6f64 7563 7473 3b20 FunWebProducts;. 0x0160: 2e4e 4554 2043 4c52 2031 2e31 2e34 3332 .NET.CLR.1.1.432 0x0170: 323b 202e 4e45 5420 434c 5220 322e 302e 2;..NET.CLR.2.0. 0x0180: 3530 3732 3729 0d0a 486f 7374 3a20 6a73 50727)..Host:.js 0x0190: 2e72 6576 7363 692e 6e65 740d 0a43 6f6e .revsci.net..Con 0x01a0: 6e65 6374 696f 6e3a 204b 6565 702d 416c nection:.Keep-Al 0x01b0: 6976 650d 0a43 6f6f 6b69 653a 204e 4554 ive..Cookie:.NET 0x01c0: 4944 3031 3d42 7445 4458 7772 4031 5267 ID01=BtEDXwr1Rg 0x01d0: 4141 4472 4a4e 7059 4141 4147 423b 204e AADrJNpYAAAGB;.N 0x01e0: 4554 5345 4753 5f43 3035 3530 333d 4642 ETSEGS_C05503=FB 0x01f0: 3732 4644 3139 4235 3045 4438 3236 2643 72FD19B50ED826&C <snip> 0x0550: 3473 4c30 7864 6754 6566 0d0a 0d0a 4sL0xdgTef.... Look at the 'download' packet, above. The location called "referrer" is where the browser was right before this snapshot was taken. http://www.kctv5.com /index.html. There are advertisers all over that page. Kctv5, being a tv station, makes their living by selling advertising. They would obviously be a normal client for Revenue Science, to make sure they get paid for click throughs to their advertising partners. to examine the installer code and the actual BHOcode you can download the code from: http:/ /js.revsci.net/gateway/gw.js?csid=C05503 and the part that makes sure the money goes to kctv5: http://www. kctv5.com/js/4230798/script.js and the tracking pixel: http://pix01.revsci.net/C05503/a3/0/0/0/0/0/0/0/ 0/0/noscript.gif > Jack Pepper wrote: >> Quoting Jack Pepper <pepperjackafferentsecurity.com>: >> >>> >>> The rule for 2007591 is hitting lots of malware check-ins, and they >>> look like good hits. >> >> The hits do not look like Agent.Alt infections. They appear to be >> counters for the Revenue Science BHO application. >> >> Are other people seeing these? I am seeing these at all of my sites, in >> some cases thousands of them. >> >> jp >> >> >> ------------------------------------------------------------ ---- >> fferent Security Labs: Isolate/Insulate/Innovate >> http://www.afferentse curity.com >> >> _______________________________________________ >> Bleeding-sigs mailing list >> Bleeding-sigsbleedingthreats.net >> http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs > > -- > -------------------------------------------- > Matthew Jonkman > Bleeding Edge Threats > US Phone 765-429-0398 > US Fax 312-264-0205 > AUS Phone 61-42-4157-491 > AUS Fax 61-29-4750-026 > http://www.bleedingthr eats.net > -------------------------------------------- > > PGP: http:/ /www.bleedingthreats.com/mattjonkman.asc > > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigsbleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs > ------------------------------------------------------------ ---- fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentse curity.com _______________________________________________ Bleeding-sigs mailing list Bleeding-sigsbleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs

Re: Agent Alt hits - Followup
	2008-03-04 09:09:21
I am. What I am seeing I don't think is Agent ALT. None of my hosts have any similarities to what info I can find on Agent.ALT. I am only seeing sid:2007591 fire. I haven't seen any others in this group of sigs: sid:2007588, sid:2007589, or sid:2007590. Each payload is the same: Payload Length: 10 000 : 00 01 00 00 02 02 44 01 00 3B ......D..; All of these are from various banner ad servers. Anyone else still seeing these? On 10/18/07, Jack Pepper <pepperjackafferentsecurity.com> wrote: > Quoting Matt Jonkman <jonkmanjonkmans.com>: > > > Can you share a packet? > > > > > Sure, a couple thousand if you like .... > > Agent ALT analyis (for the period 10/15/073am - 10/16/073am) > 209.249.142.9 -> 10.10.1.12 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 4.71.104.187 -> 10.40.32.206 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 64.154.81.197 -> 10.40.34.86 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 64.154.81.197 -> 10.70.50.85 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 64.154.82.224 -> 10.40.33.76 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 64.154.82.72 -> 10.40.34.23 TROJAN Win32 Agent.ALT C&C Checkin > Connection in Progress > 168.75.68.97 -> 10.40.33.235 TROJAN Win32 Agent.ALT C&C > Checkin Connection in Progress > > so of the 'outside' hosts, what are they? > 209.249.142.9 -> "Revenue Science Corporation". Targeted marketing > firm, sells software to the online marketing industry, including > browser helper objects, among many other products. > 4.71.104.187 -> "QuestionMarket.com" a known distribution site > 64.154.81.197 -> "HitBox Server" is a known "utility service" for counters > 64.154.82.224 -> Another "HitBox Server". > 168.75.68.97 -> "Clear Blue Technology". Hosting Company. Could be anything. > 64.154.82.72 -> Another "HitBox Server". > > Let's take it apart, starting with the "unknown" host at "Clear Blue" > (168.75.68.97): > 08:12:34.769889 IP 168.75.68.97.80 > 10.40.33.235.1967: P > 3140372189:3140372199(10) ack > 2462837258 win 12600 > 0x0000: 4500 0032 0825 4000 3506 24e2 a84b 4461 E..2.%.5.$..KDa > 0x0010: 0a28 21eb 0050 07af bb2e 46dd 92cb ea0a .(!..P....F..... > 0x0020: 5018 3138 98aa 0000 0001 0000 0202 4401 P.18..........D. > 0x0030: 003b .; > 12:19:58.344071 IP 168.75.68.97.80 > 10.10.1.178.4451: P > 2859405698:2859405708(10) ack > 1856371176 win 7560 > 0x0000: 4500 0032 622b 4000 3506 eb32 a84b 4461 E..2b+.5..2.KDa > 0x0010: 0a0a 01b2 0050 1163 aa6f 1182 6ea5 f9e8 .....P.c.o..n... > 0x0020: 5018 1d88 1d60 0000 0001 0000 0202 4401 P....`........D. > 0x0030: 003b .; > 13:32:36.240369 IP 168.75.68.97.80 > 10.40.32.181.4079: P > 3677760917:3677760927(10) ack > 383641718 win 11040 > 0x0000: 4500 0032 2e69 4000 3506 ffd3 a84b 4461 E..2.i.5....KDa > 0x0010: 0a28 20b5 0050 0fef db36 2d95 16dd e876 .(...P...6-....v > 0x0020: 5018 2b20 0e7b 0000 0001 0000 0202 4401 P.+..{........D. > 0x0030: 003b .; > 16:39:06.129241 IP 168.75.68.97.80 > 10.40.34.29.3199: P > 979095712:979095722(10) ack > 2179211625 win 11040 > 0x0000: 4500 0032 d0fb 4000 3506 5bd9 a84b 4461 E..2...5.[..KDa > 0x0010: 0a28 221d 0050 0c7f 3a5b d0a0 81e4 2169 .("..P..:[....!i > 0x0020: 5018 2b20 6a59 0000 0001 0000 0202 4401 P.+.jY........D. > 0x0030: 003b .; > 16:39:36.999439 IP 168.75.68.97.80 > 10.40.34.29.3214: P > 3429252465:3429252475(10) ack > 2313734872 win 11040 > 0x0000: 4500 0032 933e 4000 3506 9996 a84b 4461 E..2.>.5....KDa > 0x0010: 0a28 221d 0050 0c8e cc66 3d71 89e8 cad8 .("..P...f=q.... > 0x0020: 5018 2b20 b9fa 0000 0001 0000 0202 4401 P.+...........D. > 0x0030: 003b .; > > So we do have multiple hosts on the inside network talking to this > same address. > > Do a nslookup on js.revsci.net: > js.revsci.net canonical name = js.lb-revsci.net. > Name: js.lb-revsci.net > Address: 168.75.68.97 > Name: js.lb-revsci.net > Address: 206.191.161.97 > Name: js.lb-revsci.net > Address: 209.249.142.9 > Name: js.lb-revsci.net > Address: 209.249.142.97 > Name: js.lb-revsci.net > Address: 38.96.134.241 > The domain "revsci.net" is of course owned by Revenue Science. This > host, 168.75.68.97, is a "tracking data" collection site. > > > > In this other case, we caught the download of the browser helper > object, downloaded from the same site at "clear blue": > 14:01:03.659262 IP 10.40.33.22.3736 > 168.75.68.97.80: P > 3489417517:3489418851(1334) ack > 3701690791 win 65535 > 0x0000: 4500 055e 0470 4000 7f06 da3f 0a28 2116 E..^.p....?.(!. > 0x0010: a84b 4461 0e98 0050 cffc 492d dca3 51a7 .KDa...P..I-..Q. > 0x0020: 5018 ffff 9fc0 0000 4745 5420 2f63 6f6d P.......GET./com > 0x0030: 6d6f 6e2f 7063 782e 6a73 3f74 6d70 6c3d mon/pcx.js?tmpl= > 0x0040: 6164 3326 6373 6964 3d43 3035 3530 3326 ad3&csid=C05503& > 0x0050: 6b6f 3d32 3030 375f 3130 5f31 355f 5f31 ko=2007_10_15__1 > 0x0060: 2048 5454 502f 312e 310d 0a41 6363 6570 .HTTP/1.1..Accep > 0x0070: 743a 202a 2f2a 0d0a 5265 6665 7265 723a t:./..Referer: > 0x0080: 2068 7474 703a 2f2f 7777 772e 6b63 7476 .http://www.kctv > 0x0090: 352e 636f 6d2f 696e 6465 782e 6874 6d6c 5.com/index.html > 0x00a0: 0d0a 4163 6365 7074 2d4c 616e 6775 6167 ..Accept-Languag > 0x00b0: 653a 2065 6e2d 7573 0d0a 4163 6365 7074 e:.en-us..Accept > 0x00c0: 2d45 6e63 6f64 696e 673a 2067 7a69 702c -Encoding:.gzip, > 0x00d0: 2064 6566 6c61 7465 0d0a 4966 2d4d 6f64 .deflate..If-Mod > 0x00e0: 6966 6965 642d 5369 6e63 653a 204d 6f6e ified-Since:.Mon > 0x00f0: 2c20 3135 204f 6374 2032 3030 3720 3138 ,.15.Oct.2007.18 > 0x0100: 3a34 323a 3132 2047 4d54 0d0a 5573 6572 :42:12.GMT..User > 0x0110: 2d41 6765 6e74 3a20 4d6f 7a69 6c6c 612f -Agent:.Mozilla/ > 0x0120: 342e 3020 2863 6f6d 7061 7469 626c 653b 4.0.(compatible; > 0x0130: 204d 5349 4520 362e 303b 2057 696e 646f .MSIE.6.0;.Windo > 0x0140: 7773 204e 5420 352e 313b 2053 5631 3b20 ws.NT.5.1;.SV1;. > 0x0150: 4675 6e57 6562 5072 6f64 7563 7473 3b20 FunWebProducts;. > 0x0160: 2e4e 4554 2043 4c52 2031 2e31 2e34 3332 .NET.CLR.1.1.432 > 0x0170: 323b 202e 4e45 5420 434c 5220 322e 302e 2;..NET.CLR.2.0. > 0x0180: 3530 3732 3729 0d0a 486f 7374 3a20 6a73 50727)..Host:.js > 0x0190: 2e72 6576 7363 692e 6e65 740d 0a43 6f6e .revsci.net..Con > 0x01a0: 6e65 6374 696f 6e3a 204b 6565 702d 416c nection:.Keep-Al > 0x01b0: 6976 650d 0a43 6f6f 6b69 653a 204e 4554 ive..Cookie:.NET > 0x01c0: 4944 3031 3d42 7445 4458 7772 4031 5267 ID01=BtEDXwr1Rg > 0x01d0: 4141 4472 4a4e 7059 4141 4147 423b 204e AADrJNpYAAAGB;.N > 0x01e0: 4554 5345 4753 5f43 3035 3530 333d 4642 ETSEGS_C05503=FB > 0x01f0: 3732 4644 3139 4235 3045 4438 3236 2643 72FD19B50ED826&C > > <snip> > > 0x0550: 3473 4c30 7864 6754 6566 0d0a 0d0a 4sL0xdgTef.... > > Look at the 'download' packet, above. The location called "referrer" > is where the browser was right before this snapshot was taken. > http://www.kctv5.com /index.html. There are advertisers all over that > page. Kctv5, being a tv station, makes their living by selling > advertising. They would obviously be a normal client for Revenue > Science, to make sure they get paid for click throughs to their > advertising partners. > > to examine the installer code and the actual BHOcode you can download > the code from: > http:/ /js.revsci.net/gateway/gw.js?csid=C05503 > and the part that makes sure the money goes to kctv5: > http://www. kctv5.com/js/4230798/script.js > and the tracking pixel: > http://pix01.revsci.net/C05503/a3/0/0/0/0/0/0/0/ 0/0/noscript.gif > > > > > > > > Jack Pepper wrote: > >> Quoting Jack Pepper <pepperjackafferentsecurity.com>: > >> > >>> > >>> The rule for 2007591 is hitting lots of malware check-ins, and they > >>> look like good hits. > >> > >> The hits do not look like Agent.Alt infections. They appear to be > >> counters for the Revenue Science BHO application. > >> > >> Are other people seeing these? I am seeing these at all of my sites, in > >> some cases thousands of them. > >> > >> jp > >> > >> > >> ------------------------------------------------------------ ---- > >> fferent Security Labs: Isolate/Insulate/Innovate > >> http://www.afferentse curity.com > >> > >> _______________________________________________ > >> Bleeding-sigs mailing list > >> Bleeding-sigsbleedingthreats.net > >> http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs > > > > -- > > -------------------------------------------- > > Matthew Jonkman > > Bleeding Edge Threats > > US Phone 765-429-0398 > > US Fax 312-264-0205 > > AUS Phone 61-42-4157-491 > > AUS Fax 61-29-4750-026 > > http://www.bleedingthr eats.net > > -------------------------------------------- > > > > PGP: http:/ /www.bleedingthreats.com/mattjonkman.asc > > > > > > _______________________________________________ > > Bleeding-sigs mailing list > > Bleeding-sigsbleedingthreats.net > > http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs > > > > > > ------------------------------------------------------------ ---- > fferent Security Labs: Isolate/Insulate/Innovate > http://www.afferentse curity.com > > _______________________________________________ > Bleeding-sigs mailing list > Bleeding-sigsbleedingthreats.net > http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs > -- -dajackman _______________________________________________ Bleeding-sigs mailing list Bleeding-sigsbleedingthreats.net http://lists.bleedingthreats.net/cgi-bin/ mailman/listinfo/bleeding-sigs

[1-5]

about | contact Other archives ( Real Estate discussion Medical topics )