[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: [Bleeding-sigs] New Trojan email report sig
From: Matt Jonkman <jonkman () bleedingthreats ! net>
Date: 2007-09-08 12:11:54
Message-ID: 46E2918A.6090105 () bleedingthreats ! net
[Download RAW message or body]
A large number of trojans report an infection by sending a blank email
to a gmail or other free provider. They're pretty bland, other than they
almost always use the Indy Mail lib. So the mail is slightly unique
# This sig should catch them outbound
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY
Possible Infection Report Mail - Indy Mail lib and No Message Body";
flow:established,to_server; content:"|0d 0a|X-Priority: 1|0d
0a|X-Library: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22;
classtype:trojan-activity; sid:2007611; rev:1;)
Please report and falses on it.
--
--------------------------------------------
Matthew Jonkman
Bleeding Edge Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Phone 61-42-4157-491
AUS Fax 61-29-4750-026
http://www.bleedingthreats.net
--------------------------------------------
PGP: http://www.bleedingthreats.com/mattjonkman.asc
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic