[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: [Bleeding-sigs] Oemji Spyware sigs
From: Matt Jonkman <jonkman () bleedingthreats ! net>
Date: 2007-03-08 16:58:26
Message-ID: 45F040B2.9050608 () bleedingthreats ! net
[Download RAW message or body]
>From shirkdog, based on spyware listening post hits:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
MALWARE Oemji Spyware User-Agent (Oemji)"; flow:to_server,established;
content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Oemji/i";
classtype:trojan-activity; sid:2003468; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE
MALWARE Oemji.com Spyware Settings Update"; flow:established,to_server;
uricontent:"/OemjiSearchPlus.ini" nocase;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187;
sid:2003467; rev:1;)
Thanks shirkdog!
Matt
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
765-429-0398
765-807-3060 fax
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic