[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: [Emerging-Sigs] SIGS: ET TROJAN W32/Downloader.FakeFlashPlayer
From: Kevin Ross <kevross33 () googlemail ! com>
Date: 2012-12-28 1:20:23
Message-ID: CAM_5znspDJq-CYuznRt4b-R2w6E5CjAaQMk9bv2eOPRHAnMX4Q () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon";
flow:established,to_server; content:"/clientregister.php?type="; http_uri;
content:"&uniqid="; http_uri; content:"&winver="; http_uri;
content:"&compusername="; http_uri; content:"&compnetname="; http_uri;
classtype:trojan-activity; sid:1239991; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon";
flow:established,to_server; content:"/status.php?cliver="; http_uri;
content:"&uniqid="; http_uri; content:"&langid="; http_uri;
classtype:trojan-activity; sid:1239992; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon";
flow:established,to_server; content:".php?type="; http_uri;
content:"&uniqid="; http_uri; content:"&langid="; http_uri;
content:"&ver="; http_uri; content:"bitensiteler="; http_uri;
classtype:trojan-activity; sid:1239993; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon";
flow:established,to_server; content:".php?type="; http_uri;
content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri;
content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri;
classtype:trojan-activity; sid:1239994; rev:1;)
Regards,
Kevin
[Attachment #5 (text/html)]
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN \
W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon"; \
flow:established,to_server; content:"/clientregister.php?type="; http_uri; \
content:"&uniqid="; http_uri; content:"&winver="; \
http_uri; content:"&compusername="; http_uri; \
content:"&compnetname="; http_uri; classtype:trojan-activity; \
sid:1239991; rev:1;)<br> <br>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS \
(msg:"ET TROJAN W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon"; \
flow:established,to_server; content:"/status.php?cliver="; http_uri; \
content:"&uniqid="; http_uri; content:"&langid="; \
http_uri; classtype:trojan-activity; sid:1239992; rev:1;)<br> <br>alert tcp $HOME_NET \
any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN \
W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon"; \
flow:established,to_server; content:".php?type="; http_uri; \
content:"&uniqid="; http_uri; content:"&langid="; \
http_uri; content:"&ver="; http_uri; content:"bitensiteler="; \
http_uri; classtype:trojan-activity; sid:1239993; rev:1;)<br> <br>alert tcp $HOME_NET \
any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN \
W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon"; flow:established,to_server; \
content:".php?type="; http_uri; content:"&kelimeid"; \
http_uri; content:"&gecenzaman="; http_uri; \
content:"&gezilensayfa="; http_uri; \
content:"&delcookies="; http_uri; classtype:trojan-activity; \
sid:1239994; rev:1;)<br> <br>Regards,<br>Kevin<br>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro \
http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for \
all versions of Suricata and Snort 2.4.0 through Current!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic