[prev in list] [next in list] [prev in thread] [next in thread]
List: emerging-sigs
Subject: Re: [Emerging-Sigs] SIGS: :ET TROJAN W32/Androm.Backdoor
From: Jason Williams <jwilliams () emergingthreats ! net>
Date: 2015-06-22 23:12:20
Message-ID: CAPpdu9G=kGQRepKZOO5ho3EhojfQS5MpGB9bhmm5bghV5AM4SQ () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Kevin,
Thanks man! We have open coverage for the first sig under 2019380 and will
get the second one into QA.
Regards,
Jason
On Mon, Jun 22, 2015 at 5:38 PM, Kevin Ross <kevross33@googlemail.com>
wrote:
>
> https://www.hybrid-analysis.com/sample/00454344f5c043d81c8572a1ac1bf9174336b895d12c51c44b3d9f385e8dbb13?environmentId=2
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:ET TROJAN
> W32/Androm.Backdoor US Constitution Internet Connectivity Check;
> flow:established,to_server; content:"GET"; http_method
> content:"/usdeclar.txt"; http_uri; depth:13; content:"Host:
> constitution.org"; http_header; fast_pattern:6,16;
> content:"User-Agent|3A| Mozilla/4.0 (compatible; MSIE 8.0|3B| Windows NT
> 6.1; Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header;
> content:!"Accept|3A|"; http_header; classtype:trojan-activity;
> reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; sid:134111; rev:1;)
>
> alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN
> W32/Androm.Backdoor Graqbftp Module Download"; flow:established,to_server;
> content:"GET"; http_method; content:"/download/ftp/grabftp"; http_uri;
> fast_pattern:9,12; content:".bin"; http_uri;
> pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U";
> content:"User-Agent|3A| Mozilla/4.0 (compatible; MSIE 8.0|3B| Windows NT
> 6.1; Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header;
> content:!"Accept|3A|"; http_header; classtype:trojan-activity;
> reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; sid:134112; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs@lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
[Attachment #5 (text/html)]
<div dir="ltr">Kevin,<div><br></div><div>Thanks man! We have open coverage for the \
first sig under 2019380 and will get the second one into QA. \
</div><div><br></div><div>Regards,</div><div><br></div><div>Jason</div></div><div \
class="gmail_extra"><br><div class="gmail_quote">On Mon, Jun 22, 2015 at 5:38 PM, \
Kevin Ross <span dir="ltr"><<a href="mailto:kevross33@googlemail.com" \
target="_blank">kevross33@googlemail.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr"><div><div><a \
href="https://www.hybrid-analysis.com/sample/00454344f5c043d81c8572a1ac1bf9174336b895d12c51c44b3d9f385e8dbb13?environmentId=2" \
target="_blank">https://www.hybrid-analysis.com/sample/00454344f5c043d81c8572a1ac1bf9174336b895d12c51c44b3d9f385e8dbb13?environmentId=2</a><br><br>alert \
http $HOME_NET any -> $EXTERNAL_NET any (msg:ET TROJAN W32/Androm.Backdoor US \
Constitution Internet Connectivity Check; flow:established,to_server; \
content:"GET"; http_method content:"/usdeclar.txt"; http_uri; \
depth:13; content:"Host: <a href="http://constitution.org" \
target="_blank">constitution.org</a>"; http_header; fast_pattern:6,16; \
content:"User-Agent|3A| Mozilla/4.0 (compatible; MSIE 8.0|3B| Windows NT 6.1; \
Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header; \
content:!"Accept|3A|"; http_header; classtype:trojan-activity; \
reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; sid:134111; rev:1;)<br><br>alert http \
$HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Androm.Backdoor \
Graqbftp Module Download"; flow:established,to_server; content:"GET"; \
http_method; content:"/download/ftp/grabftp"; http_uri; fast_pattern:9,12; \
content:".bin"; http_uri; \
pcre:"/^\/download\/ftp\/(grabftp|grabftp64)\.bin$/U"; \
content:"User-Agent|3A| Mozilla/4.0 (compatible; MSIE 8.0|3B| Windows NT 6.1; \
Win64|3B| x64)"; http_header; content:!"Referer|3A|"; http_header; \
content:!"Accept|3A|"; http_header; classtype:trojan-activity; \
reference:md5,e946b3dba7cd9a44fbbcbc3c7c76e440; sid:134112; \
rev:1;)<br><br><br></div>Kind Regards,<br></div>Kevin Ross<br></div> \
<br>_______________________________________________<br> Emerging-sigs mailing \
list<br> <a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" \
rel="noreferrer" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a \
href="http://www.emergingthreats.net" rel="noreferrer" \
target="_blank">http://www.emergingthreats.net</a><br> <br>
<br></blockquote></div><br></div>
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic