[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] SIG: ET TROJAN W32.Daws/Sanny
From: Will Metcalf <wmetcalf () emergingthreatspro ! com>
Date: 2012-12-18 3:11:32
Message-ID: CAKrkXrOfxc7V-7EstJip24YTjbNYgDRuFmGiLawiKWDwnj5GNg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Posted but fixed sig with file_data + POST which is invalid, made
http_client_body; Thanks....
On Mon, Dec 17, 2012 at 3:56 PM, Kevin Ross <kevross33@googlemail.com>wrote:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server;
> content:"/list.php?db="; http_uri; content:"Accept-Language|3A| ko-kr";
> http_header; classtype:trojan-activity; reference:url,
> blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,
> contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html;
> sid:1318811; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST";
> http_method; content:"/write.php"; http_uri; content:"Accept-Language|3A|
> ko-kr"; http_header; file_data; content:"db="; within:3; content:"&ch=";
> distance:0; content:"&name="; distance:0; content:"&email="; distance:0;
> content:"&pw="; distance:0; classtype:trojan-activity; reference:url,
> blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,
> contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html;
> sid:1318812; rev:1;)
>
> Regards,
> Kevin
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
[Attachment #5 (text/html)]
Posted but fixed sig with file_data + POST which is invalid, made http_client_body; \
Thanks....<br><br><div class="gmail_quote">On Mon, Dec 17, 2012 at 3:56 PM, Kevin \
Ross <span dir="ltr"><<a href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(msg:"ET TROJAN W32.Daws/Sanny CnC Initial Beacon"; \
flow:established,to_server; content:"/list.php?db="; http_uri; \
content:"Accept-Language|3A| ko-kr"; http_header; \
classtype:trojan-activity; reference:url,<a \
href="http://blog.fireeye.com/research/2012/12/to-russia-with-apt.html" \
target="_blank">blog.fireeye.com/research/2012/12/to-russia-with-apt.html</a>; \
reference:url,<a href="http://contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html" \
target="_blank">contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html</a>; \
sid:1318811; rev:1;)<br>
<br>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN \
W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST"; \
http_method; content:"/write.php"; http_uri; \
content:"Accept-Language|3A| ko-kr"; http_header; file_data; \
content:"db="; within:3; content:"&ch="; distance:0; \
content:"&name="; distance:0; content:"&email="; \
distance:0; content:"&pw="; distance:0; classtype:trojan-activity; \
reference:url,<a href="http://blog.fireeye.com/research/2012/12/to-russia-with-apt.html" \
target="_blank">blog.fireeye.com/research/2012/12/to-russia-with-apt.html</a>; \
reference:url,<a href="http://contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html" \
target="_blank">contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html</a>; \
sid:1318812; rev:1;)<br>
<br>Regards,<br>Kevin<br>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
target="_blank">http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreatspro.com" \
target="_blank">http://www.emergingthreatspro.com</a><br> The ONLY place to get \
complete premium rulesets for Snort 2.4.0 through Current!<br></blockquote></div><br>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic