[prev in list] [next in list] [prev in thread] [next in thread]
List: dragonidsuser
Subject: [Dragonidsuser] [+] NIDS Signature Update(7.x)/(8.x): Mon, 26 Nov 2012 23:50:27 EDT
From: "Shirk, Michael" <mshirk () enterasys ! com>
Date: 2012-11-27 5:13:20
Message-ID: CACnYx0ZX4u2Wm+jR5qTyPpaYaafODGc51qmuirqo77xdAs-ktg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
The following NIDS signature updates are available via liveupdate for
Dragon versions 7.x/8.x:
TRJN:ADDNEW-COMMAND
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the AddNew
Banker trojan being commanded by a remote server. The source of this event
should be investigated.
REFERENCE: URLREF
http://doc.emergingthreats.net/2009862
TRJN:ADDNEW-DDOSER
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the AddNew
Banker trojan being commanded by a remote server. The source of this event
should be investigated.
REFERENCE: URLREF
http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015868
TRJN:ADDNEW-DDOSER2
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the AddNew
Banker trojan being commanded by a remote server. The source of this event
should be investigated.
REFERENCE: URLREF
http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015869
TRJN:ADDNEW-DDOSER3
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the AddNew
Banker trojan being commanded by a remote server. The source of this event
should be investigated.
REFERENCE: URLREF
http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015870
TRJN:CITADEL-ACCESS2
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the
Zeus/Citadel trojan control panel being accessed on a local server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015826
TRJN:CITADEL-BOTS-API
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the Citadel
trojan API being accessed on a remote server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015831
TRJN:CITADEL-BOTS-API2
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the Citadel
trojan API being accessed on a local server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015832
TRJN:CITADEL-IFRAMER-ACCESS
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the Citadel
trojan Iframer API being accessed on a remote server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015827
TRJN:CITADEL-IFRAMER-ACCESS2
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the Citadel
trojan Iframer API being accessed on a local server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015828
TRJN:CITADEL-PANEL-ACCESS
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the
Zeus/Citadel trojan control panel being accessed from a remote.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015825
TRJN:CITADEL-VIDEO-API
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the Citadel
trojan API being accessed on a remote server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015833
TRJN:CITADEL-VIDEO-API2
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the Citadel
trojan API being accessed on a local server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015834
TRJN:CITADEL-VNC-ACCESS
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the Citadel
trojan API being accessed on a remote server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015829
TRJN:CITADEL-VNC-ACCESS2
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the Citadel
trojan API being accessed on a local server.
REFERENCE: URLREF
http://xylithreats.free.fr/public/
REFERENCE: URLREF
http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html
REFERENCE: URLREF
http://doc.emergingthreats.net/2015830
TRJN:GH0ST-CHECKIN
UPDATE-TYPE: New Signature
CLASSIFICATION: TROJAN
DESCRIPTION: This signature looks for traffic associated with the
Backdoor.Win32.Gh0st trojan checking in with a remote server. This
signature searches on all ports for the trojan traffic. The signature is
disabled by default.)
REFERENCE: URLREF
http://www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz
REFERENCE: URLREF
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231
REFERENCE: URLREF
http://labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/
REFERENCE: URLREF
http://doc.emergingthreats.net/2015624
- --
Michael Shirk
Security Research Engineer
Enterasys Networks, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEAREDAAYFAlC0S8AACgkQXWThkXZdgOdPNQCgmLsuJ3OfXeNvJ5vt0VKN9mhC
XLAAoJ8TX/GZKTStezUBzynTUEMrgrtd
=X16S
-----END PGP SIGNATURE-----
[Attachment #5 (text/html)]
<div><font face="arial, sans-serif">-----BEGIN PGP SIGNED \
MESSAGE-----</font></div><div><font face="arial, sans-serif">Hash: \
RIPEMD160</font></div><div><font face="arial, sans-serif"><br></font></div><div><font \
face="arial, sans-serif">The following NIDS signature updates are available via \
liveupdate for Dragon versions 7.x/8.x:</font></div> <div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:ADDNEW-COMMAND</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the AddNew \
Banker trojan being commanded by a remote server. The source of this event should be \
investigated.</font></div><div> <font face="arial, sans-serif">REFERENCE: \
URLREF</font></div><div><font face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2009862">http://doc.emergingthreats.net/2009862</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:ADDNEW-DDOSER</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the AddNew \
Banker trojan being commanded by a remote server. The source of this event should be \
investigated.</font></div><div> <font face="arial, sans-serif">REFERENCE: \
URLREF</font></div><div><font face="arial, sans-serif"><a \
href="http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-m \
atch-made-in-heaven.html">http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015868">http://doc.emergingthreats.net/2015868</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:ADDNEW-DDOSER2</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the AddNew \
Banker trojan being commanded by a remote server. The source of this event should be \
investigated.</font></div><div> <font face="arial, sans-serif">REFERENCE: \
URLREF</font></div><div><font face="arial, sans-serif"><a \
href="http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-m \
atch-made-in-heaven.html">http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015869">http://doc.emergingthreats.net/2015869</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:ADDNEW-DDOSER3</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the AddNew \
Banker trojan being commanded by a remote server. The source of this event should be \
investigated.</font></div><div> <font face="arial, sans-serif">REFERENCE: \
URLREF</font></div><div><font face="arial, sans-serif"><a \
href="http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-m \
atch-made-in-heaven.html">http://blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015870">http://doc.emergingthreats.net/2015870</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-ACCESS2</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the \
Zeus/Citadel trojan control panel being accessed on a local \
server.</font></div><div><font face="arial, sans-serif">REFERENCE: \
URLREF</font></div> <div><font face="arial, sans-serif"><a \
href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015826">http://doc.emergingthreats.net/2015826</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-BOTS-API</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the Citadel \
trojan API being accessed on a remote server.</font></div><div><font face="arial, \
sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, sans-serif"><a \
href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015831">http://doc.emergingthreats.net/2015831</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-BOTS-API2</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the Citadel \
trojan API being accessed on a local server.</font></div><div><font face="arial, \
sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, sans-serif"><a \
href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015832">http://doc.emergingthreats.net/2015832</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-IFRAMER-ACCESS</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div> <font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div><div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the Citadel \
trojan Iframer API being accessed on a remote server.</font></div> <div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">ht \
tp://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, \
sans-serif"><a href="http://doc.emergingthreats.net/2015827">http://doc.emergingthreats.net/2015827</a></font></div><div><font \
face="arial, sans-serif"><br></font></div><div><font face="arial, sans-serif"><br> \
</font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-IFRAMER-ACCESS2</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the Citadel \
trojan Iframer API being accessed on a local server.</font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, \
sans-serif"><a href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015828">http://doc.emergingthreats.net/2015828</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-PANEL-ACCESS</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the \
Zeus/Citadel trojan control panel being accessed from a \
remote.</font></div><div><font face="arial, sans-serif">REFERENCE: \
URLREF</font></div> <div><font face="arial, sans-serif"><a \
href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015825">http://doc.emergingthreats.net/2015825</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-VIDEO-API</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the Citadel \
trojan API being accessed on a remote server.</font></div><div><font face="arial, \
sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, sans-serif"><a \
href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015833">http://doc.emergingthreats.net/2015833</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-VIDEO-API2</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the Citadel \
trojan API being accessed on a local server.</font></div><div><font face="arial, \
sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, sans-serif"><a \
href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015834">http://doc.emergingthreats.net/2015834</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-VNC-ACCESS</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the Citadel \
trojan API being accessed on a remote server.</font></div><div><font face="arial, \
sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, sans-serif"><a \
href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015829">http://doc.emergingthreats.net/2015829</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:CITADEL-VNC-ACCESS2</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
sans-serif">CLASSIFICATION: TROJAN</font></div> <div><font face="arial, \
sans-serif">DESCRIPTION: This signature looks for traffic associated with the Citadel \
trojan API being accessed on a local server.</font></div><div><font face="arial, \
sans-serif">REFERENCE: URLREF</font></div> <div><font face="arial, sans-serif"><a \
href="http://xylithreats.free.fr/public/">http://xylithreats.free.fr/public/</a></font></div><div><font \
face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font face="arial, \
sans-serif"><a href="http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html">http://www.xylibox.com/2012/10/citadel-1351-rain-edition.html</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015830">http://doc.emergingthreats.net/2015830</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">TRJN:GH0ST-CHECKIN</font></div><div><font face="arial, \
sans-serif">UPDATE-TYPE: New Signature</font></div><div><font face="arial, \
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magani \
a.eogz">http://www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Bac \
kdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231">http://www.microsoft.com/securit \
y/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-u \
yghur-users-the-windows-version-using-gh0st-rat/">http://labs.alienvault.com/labs/inde \
x.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/</a></font></div>
<div><font face="arial, sans-serif">REFERENCE: URLREF</font></div><div><font \
face="arial, sans-serif"><a \
href="http://doc.emergingthreats.net/2015624">http://doc.emergingthreats.net/2015624</a></font></div><div><font \
face="arial, sans-serif"><br> </font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, sans-serif">- -- \
</font></div><div><font face="arial, sans-serif">Michael Shirk</font></div><div><font \
face="arial, sans-serif">Security Research Engineer</font></div> <div><font \
face="arial, sans-serif">Enterasys Networks, Inc.</font></div><div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, sans-serif">-----BEGIN PGP \
SIGNATURE-----</font></div><div><font face="arial, sans-serif">Version: GnuPG v1.4.11 \
(GNU/Linux)</font></div> <div><font face="arial, \
sans-serif"><br></font></div><div><font face="arial, \
sans-serif">iEYEAREDAAYFAlC0S8AACgkQXWThkXZdgOdPNQCgmLsuJ3OfXeNvJ5vt0VKN9mhC</font></div><div><font \
face="arial, sans-serif">XLAAoJ8TX/GZKTStezUBzynTUEMrgrtd</font></div> <div><font \
face="arial, sans-serif">=X16S</font></div><div><font face="arial, \
sans-serif">-----END PGP SIGNATURE-----</font></div><div><br></div>
_______________________________________________
Dragonidsuser mailing list
Dragonidsuser@enterasys.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic