[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] Feodo Botnet
From: "Arbeiter, Stefan (K-SIS-O/1)" <stefan.arbeiter () volkswagen ! de>
Date: 2014-01-24 13:34:38
Message-ID: 82262F7F8ED88A4B8B8413B42EE549973A282D1B () VWAGWOXA0402 ! vw ! vwg
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi all,
malwaremustdie has additional details:
http[://]malwaremustdie.blogspot[.]de/2013/01/cridex-fareit-infection-analysis.html?spref=tw&m=1
including this User-Agent
Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US
No FP so far.
Von: James Lay [mailto:jlay@slave-tothe-box.net]
Gesendet: Freitag, 24. Januar 2014 12:59
An: snort-sigs@lists.sourceforge.net
Betreff: Re: [Snort-sigs] Feodo Botnet
On Fri, 2014-01-24 at 11:36 +0100, Lukas Matt wrote:
Hi guys,
our sources are reporting heavy spam loads created by the Feodo Botnet.
A quick search on the rules produced no result.
Does guys (https://feodotracker.abuse.ch/blocklist.php?download=snort)
wrote already some IPS rules.
Will there be a update in future?
Regards,
Lukas
Nice work..thank you.
James
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Vorformatiert Zchn";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLVorformatiertZchn
{mso-style-name:"HTML Vorformatiert Zchn";
mso-style-priority:99;
mso-style-link:"HTML Vorformatiert";
font-family:Consolas;}
span.E-MailFormatvorlage19
{mso-style-type:personal-reply;
font-family:"Arial","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Hi \
all,<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial","sans-serif"">malwaremustdie \
has additional details:<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial","sans-serif"">http[:// \
]malwaremustdie.blogspot[.]de/2013/01/cridex-fareit-infection-analysis.html?spref=tw&m=1<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial","sans-serif"">including \
this User-Agent<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial","sans-serif"">Mozilla/5.0 \
(Windows; U; MSIE 7.0; Windows NT 6.0; en-US<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial","sans-serif""><o:p> </o:p></span></p>
<p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:"Arial","sans-serif"">No FP \
so far.<o:p></o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">Von:</span></b><span \
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> James \
Lay [mailto:jlay@slave-tothe-box.net] <br>
<b>Gesendet:</b> Freitag, 24. Januar 2014 12:59<br>
<b>An:</b> snort-sigs@lists.sourceforge.net<br>
<b>Betreff:</b> Re: [Snort-sigs] Feodo Botnet<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">On Fri, 2014-01-24 at 11:36 +0100, Lukas Matt wrote: \
<o:p></o:p></p> <pre><o:p> </o:p></pre>
<pre>Hi guys,<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>our sources are reporting heavy spam loads created by the Feodo \
Botnet.<o:p></o:p></pre> <pre>A quick search on the rules produced no \
result.<o:p></o:p></pre> <pre><o:p> </o:p></pre>
<pre>Does guys (<a href="https://feodotracker.abuse.ch/blocklist.php?download=snort">https://feodotracker.abuse.ch/blocklist.php?download=snort</a>) \
<o:p></o:p></pre> <pre>wrote already some IPS rules.<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Will there be a update in future?<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre>Regards,<o:p></o:p></pre>
<pre>Lukas<o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<p class="MsoNormal"><br>
Nice work..thank you.<br>
<br>
James <o:p></o:p></p>
</div>
</body>
</html>
[Attachment #4 (--===============1081822162250313576==)]
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic