[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] Urlzone/Bebloh sig
From:       jonkman () jonkmans ! com (Matt Jonkman)
Date:       2009-05-14 13:34:28
Message-ID: 4A0C1DE4.5030702 () jonkmans ! com
[Download RAW message or body]

Got it Darren, good sig. You're really at it this week, thanks!

Posting now.

matt

Darren Spruell wrote:
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Urlzone/Bebloh Communication with Controller";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"get.php?type=slg&id="; nocase; classtype:trojan-activity;
> reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td;
>  sid:XXXXXXX; rev:1;)
> 
> Urlzone/Bebloh is another banker/infostealer typically targeting German banks.
> 
> Typical C&C communication looks like requests to:
> 
> somedomain.tld/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSO
> 
> Every report I've seen makes it look like /get.php is so far very
> static as well as the value of the 'type' parameter during C&C
> communication. Also appears that /IT0%d/ varies a bit but for now
> always uses /IT0\d/ so maybe it can be tightened a bit more if needed
> with a URI pcre.
> 
> Would be interested to know if this is successful for anyone.
> 

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc


[prev in list] [next in list] [prev in thread] [next in thread]