Capturing attempts to exploit Security Advisory 975497

Hi

If you’ve heard about this vulnerability which has been located (and published before it was advised to MSRC – Microsoft Security Response Center) and want to see if there are machines on your network attempting to exploit it, here’s a Network Monitor capture filter to show you the source IP of the attacker or infected PC:

smb.command == 0x72 AND SMB.SMBHeader.Flags.FromServer == 0x0 AND SMB.SMBHeader.PIDHigh != 0x0

 

Get NetMon 3.3 from here.

And the VERY cool updated NetMon parsers from CodePlex.

The signature for the vulnerability has been published here.