[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] FP sid:2012299
From: jonkman () emergingthreatspro ! com (Matthew Jonkman)
Date: 2011-04-28 15:51:08
Message-ID: FF5B76E2-39A8-42C3-8609-BD6F722ACA39 () emergingthreatspro ! com
[Download RAW message or body]
Here are a few, defanged, within the last few days in the sandnet: (spam filters are \
going to love this one)
hxxp://78.26.187.35/soft-u \
sage/favicon.ico?0=1200&1=GT-FDCCX9A4405D&2=i-s&3=21&4=2600&5=5&6=1&7=6290 \
hxxp://soft-store-inc.com/soft- \
usage/favicon.ico?0=1200&1=GT-FDCCX9A4405D&2=i-s&3=190&4=2600&5=5&6=1 \
hxxp://soft-store-inc.com/soft \
-usage/favicon.ico?0=1200&1=GT-FDCCX9A4405D&2=i-s&3=62&4=2600&5=5&6=1&
There are variations, but we could tighten this up some with favicon.ico. I'll do so \
and we'll mark it to keep an eye out for variation.
Matt
On Apr 27, 2011, at 11:11 AM, harry.tuttle wrote:
> Have had a couple of false positives to americanexpress.com (looks like a \
> rewards-related part of the site with no ssl).
> Anyone have a pcap of the actual malicious traffic to look for something more to go \
> on in the headers maybe?
> Rule posted for easy reference. I haven't modified it.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32 Bamital or \
> Backdoor.Win32.Shiz CnC? Communication"; flow:established,to_server; content:"?0="; \
> http_uri; content:"&1="; http_uri; content:"&2="; http_uri; content:"&3="; \
> http_uri; content:"&4="; http_uri; content:"&5="; http_uri; content:"&6="; \
> http_uri; content:"&7="; http_uri; classtype:trojan-activity; \
> reference:url,www.threatexpert.com/report.aspx?md5=fbcdfecc73c4389e8d3ed7e2e573b6f1; \
> sid:2012299; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro \
> http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets \
> for Snort 2.4.0 through Current!
----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630 x110
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic