[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] Urlzone/Bebloh sig
From: jonkman () jonkmans ! com (Matt Jonkman)
Date: 2009-05-14 13:34:28
Message-ID: 4A0C1DE4.5030702 () jonkmans ! com
[Download RAW message or body]
Got it Darren, good sig. You're really at it this week, thanks!
Posting now.
matt
Darren Spruell wrote:
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Urlzone/Bebloh Communication with Controller";
> flow:established,to_server; content:"GET "; depth:4;
> uricontent:"get.php?type=slg&id="; nocase; classtype:trojan-activity;
> reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td;
> sid:XXXXXXX; rev:1;)
>
> Urlzone/Bebloh is another banker/infostealer typically targeting German banks.
>
> Typical C&C communication looks like requests to:
>
> somedomain.tld/IT02/get.php?type=slg&id=ZLYER3I3REZASOKGSO
>
> Every report I've seen makes it look like /get.php is so far very
> static as well as the value of the 'type' parameter during C&C
> communication. Also appears that /IT0%d/ varies a bit but for now
> always uses /IT0\d/ so maybe it can be tightened a bit more if needed
> with a URI pcre.
>
> Would be interested to know if this is successful for anyone.
>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic