[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] SIGS: W32/Prinimalka and Blackhole Landing Page
From: Kevin Ross <kevross33 () googlemail ! com>
Date: 2012-12-17 20:18:40
Message-ID: CAM_5znsR_3Rg3VMtOaZtPwt3DN9zBHvnAciZHvA2cTAyzMyNdg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Blackhole2 Landing Page 7 Character Obfuscation String -
15/12/2012"; content:"=|22|-"; content:"-"; distance:7; within:1;
content:"-"; distance:7; within:1; content:"=|22|-"; distance:100;
content:"-"; distance:7; within:1; content:"-"; distance:7; within:1;
content:"=|22|-"; distance:100; content:"-"; distance:7; within:1;
content:"-"; distance:7; within:1; content:"><script>"; distance:0;
pcre:"/\x3D\x22\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}.{200}\x3D\x22\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}/sm";
classtype:trojan-activity; sid:1731991; rev:1;)
alert tcp $HOME_NET any -> $EXTERNLAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server;
content:"/command?user_id="; fast_pattern; http_uri;
content:"&version_id="; http_uri; content:"&crc="; http_uri;
classtype:trojan-activity; reference:url,
ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/;
sid:1731992; rev:1;)
alert tcp $HOME_NET any -> $EXTERNLAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Prinimalka Configuration Update Request"; flow:established,to_server;
content:"/options?user_id="; http_uri; content:"&version_id="; http_uri;
content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port=";
http_uri; content:"&ip="; http_uri; classtype:trojan-activity;
reference:url,
ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/;
sid:1731993; rev:1;)
alert tcp $HOME_NET any -> $EXTERNLAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Prinimalka Prinimalka.py Script In CnC Beacon";
flow:established,to_server; content:"/prinimalka.py/"; http_uri;
fast_pattern:only; classtype:trojan-activity; reference:url,
ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/;
sid:1731994; rev:1;)
Regards,
Kevin
[Attachment #5 (text/html)]
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS \
Blackhole2 Landing Page 7 Character Obfuscation String - 15/12/2012"; \
content:"=|22|-"; content:"-"; distance:7; within:1; \
content:"-"; distance:7; within:1; content:"=|22|-"; \
distance:100; content:"-"; distance:7; within:1; content:"-"; \
distance:7; within:1; content:"=|22|-"; distance:100; \
content:"-"; distance:7; within:1; content:"-"; distance:7; \
within:1; content:"><script>"; distance:0; \
pcre:"/\x3D\x22\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}.{200}\x3D\x22\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}/sm"; \
classtype:trojan-activity; sid:1731991; rev:1;)<br> <br>alert tcp $HOME_NET any -> \
$EXTERNLAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Prinimalka Get Task CnC \
Beacon"; flow:established,to_server; content:"/command?user_id="; \
fast_pattern; http_uri; content:"&version_id="; http_uri; \
content:"&crc="; http_uri; classtype:trojan-activity; reference:url,<a \
href="http://ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/">ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/</a>; \
sid:1731992; rev:1;)<br> <br>alert tcp $HOME_NET any -> $EXTERNLAL_NET $HTTP_PORTS \
(msg:"ET TROJAN W32/Prinimalka Configuration Update Request"; \
flow:established,to_server; content:"/options?user_id="; http_uri; \
content:"&version_id="; http_uri; content:"&crc="; \
http_uri; content:"&uptime="; http_uri; content:"&port="; \
http_uri; content:"&ip="; http_uri; classtype:trojan-activity; \
reference:url,<a href="http://ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-an \
d-pieces/">ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/</a>; \
sid:1731993; rev:1;)<br> <br>alert tcp $HOME_NET any -> $EXTERNLAL_NET $HTTP_PORTS \
(msg:"ET TROJAN W32/Prinimalka Prinimalka.py Script In CnC Beacon"; \
flow:established,to_server; content:"/<a \
href="http://prinimalka.py/">prinimalka.py/</a>"; http_uri; fast_pattern:only; \
classtype:trojan-activity; reference:url,<a \
href="http://ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/">ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/</a>; \
sid:1731994; rev:1;)<br> <br>Regards,<br>Kevin<br>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic