[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    Re: [Emerging-Sigs] SIGS: :ET TROJAN W32/Androm.Backdoor
From:       Jason Williams <jwilliams () emergingthreats ! net>
Date:       2015-06-22 23:12:20
Message-ID: CAPpdu9G=kGQRepKZOO5ho3EhojfQS5MpGB9bhmm5bghV5AM4SQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Kevin,

Thanks man! We have open coverage for the first sig under 2019380 and will
get the second one into QA.

Regards,

Jason

On Mon, Jun 22, 2015 at 5:38 PM, Kevin Ross <kevross33@googlemail.com>
wrote:

> 
> https://www.hybrid-analysis.com/sample/00454344f5c043d81c8572a1ac1bf9174336b895d12c51c44b3d9f385e8dbb13?environmentId=2
>  
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:ET TROJAN
> W32/Androm.Backdoor US Constitution Internet Connectivity Check;
> flow:established,to_server; content:"GET"; http_method
> content:"/usdeclar.txt"; http_uri; depth:13; content:"Host:
> constitution.org"; http_header; fast_pattern:6,16;
> content:"User-Agent|3A| Mozilla/4.0 (compatible; MSIE 8.0|3B| Windows NT
> 6.1; Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header;
> content:!"Accept|3A|"; http_header; classtype:trojan-activity;
> reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; sid:134111; rev:1;)
> 
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
> W32/Androm.Backdoor Graqbftp Module Download"; flow:established,to_server;
> content:"GET"; http_method; content:"/download/ftp/grabftp"; http_uri;
> fast_pattern:9,12; content:".bin"; http_uri;
> pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U";
> content:"User-Agent|3A| Mozilla/4.0 (compatible; MSIE 8.0|3B| Windows NT
> 6.1; Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header;
> content:!"Accept|3A|"; http_header; classtype:trojan-activity;
> reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; sid:134112; rev:1;)
> 
> 
> Kind Regards,
> Kevin Ross
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
> 
> 
> 


[Attachment #5 (text/html)]

<div dir="ltr">Kevin,<div><br></div><div>Thanks man! We have open coverage for the \
first sig under  2019380 and will get the second one into QA.  \
</div><div><br></div><div>Regards,</div><div><br></div><div>Jason</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 22, 2015 at 5:38 PM, \
Kevin Ross <span dir="ltr">&lt;<a href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>&gt;</span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div><a \
href="https://www.hybrid-analysis.com/sample/00454344f5c043d81c8572a1ac1bf9174336b895d12c51c44b3d9f385e8dbb13?environmentId=2" \
target="_blank">https://www.hybrid-analysis.com/sample/00454344f5c043d81c8572a1ac1bf9174336b895d12c51c44b3d9f385e8dbb13?environmentId=2</a><br><br>alert \
http $HOME_NET any -&gt; $EXTERNAL_NET any (msg:ET TROJAN W32/Androm.Backdoor US \
Constitution Internet Connectivity Check; flow:established,to_server; \
content:&quot;GET&quot;; http_method content:&quot;/usdeclar.txt&quot;; http_uri; \
depth:13; content:&quot;Host: <a href="http://constitution.org" \
target="_blank">constitution.org</a>&quot;; http_header; fast_pattern:6,16; \
content:&quot;User-Agent|3A| Mozilla/4.0 (compatible; MSIE 8.0|3B| Windows NT 6.1; \
Win64|3B| x64)&quot;; http_header; content:!&quot;Referer|3A|&quot;; http_header; \
content:!&quot;Accept|3A|&quot;; http_header; classtype:trojan-activity; \
reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; sid:134111; rev:1;)<br><br>alert http \
$HOME_NET any -&gt; $EXTERNAL_NET any (msg:&quot;ET TROJAN W32/Androm.Backdoor \
Graqbftp Module Download&quot;; flow:established,to_server; content:&quot;GET&quot;; \
http_method; content:&quot;/download/ftp/grabftp&quot;; http_uri; fast_pattern:9,12; \
content:&quot;.bin&quot;; http_uri; \
pcre:&quot;/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U&quot;; \
content:&quot;User-Agent|3A| Mozilla/4.0 (compatible; MSIE 8.0|3B| Windows NT 6.1; \
Win64|3B| x64)&quot;; http_header; content:!&quot;Referer|3A|&quot;; http_header; \
content:!&quot;Accept|3A|&quot;; http_header; classtype:trojan-activity; \
reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; sid:134112; \
rev:1;)<br><br><br></div>Kind Regards,<br></div>Kevin Ross<br></div> \
<br>_______________________________________________<br> Emerging-sigs mailing \
list<br> <a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
 <a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
 <br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic