[prev in list] [next in list] [prev in thread] [next in thread] 

List:       emerging-sigs
Subject:    [Emerging-Sigs] SIGS: ET TROJAN W32/Fsysna
From:       Kevin Ross <kevross33 () googlemail ! com>
Date:       2015-06-29 21:03:43
Message-ID: CAM_5znuh9+d0KsZ-KK-KcLGn1=nm=CADyZwxqeQcV_VDoUUgbw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Fsysna
POST CnC Beacon"; flow:established,to_server; content:"POST"; http_method;
content:"/post.php?pl="; http_uri; content:"&slots="; http_uri;
content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Win32|3B|
WinHttp.WinHttpRequest.5)"; http_header; fast_pattern:44,20;
content:name=|22|upload"; http_client_body; classtype:trojan-activity;
reference:md5,d550edee505e87d20bb5dcabc50812e4; sid:169981; rev:1;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Fsysna
User-Agent"; flow:established,to_server; content:"User-Agent|3A| vb
wininet"; http_header; fast_pattern:10,13; classtype:trojan-activity;
reference:md5,d550edee505e87d20bb5dcabc50812e4; sid:169982; rev:1;)

Kind Regards,
Kevin Ross

[Attachment #5 (text/html)]

<div dir="ltr"><div><div>alert http $HOME_NET any -&gt; $EXTERNAL_NET any \
(msg:&quot;ET TROJAN W32/Fsysna POST CnC Beacon&quot;; flow:established,to_server; \
content:&quot;POST&quot;; http_method; content:&quot;/post.php?pl=&quot;; http_uri; \
content:&quot;&amp;slots=&quot;; http_uri; content:&quot;User-Agent|3A| Mozilla/4.0 \
(compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)&quot;; http_header; \
fast_pattern:44,20; content:name=|22|upload&quot;; http_client_body; \
classtype:trojan-activity; reference:md5,d550edee505e87d20bb5dcabc50812e4; \
sid:169981; rev:1;)<br><br>alert http $HOME_NET any -&gt; $EXTERNAL_NET any \
(msg:&quot;ET TROJAN W32/Fsysna User-Agent&quot;; flow:established,to_server; \
content:&quot;User-Agent|3A| vb wininet&quot;; http_header; fast_pattern:10,13; \
classtype:trojan-activity; reference:md5,d550edee505e87d20bb5dcabc50812e4; \
sid:169982; rev:1;) <br><br></div>Kind Regards,<br></div>Kevin Ross<br></div>



_______________________________________________
Emerging-sigs mailing list
Emerging-sigs@lists.emergingthreats.net
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net



[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic