'Re: [Snort-sigs] Feodo Botnet'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] Feodo Botnet
From:       "Arbeiter, Stefan (K-SIS-O/1)" <stefan.arbeiter () volkswagen ! de>
Date:       2014-01-24 13:34:38
Message-ID: 82262F7F8ED88A4B8B8413B42EE549973A282D1B () VWAGWOXA0402 ! vw ! vwg
[Download RAW message or body]

[Attachment #2 (text/plain)]

Hi all,

malwaremustdie has additional details:

http[://]malwaremustdie.blogspot[.]de/2013/01/cridex-fareit-infection-analysis.html?spref=tw&m=1

including this User-Agent

Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US

No FP so far.

Von: James Lay [mailto:jlay@slave-tothe-box.net]
Gesendet: Freitag, 24. Januar 2014 12:59
An: snort-sigs@lists.sourceforge.net
Betreff: Re: [Snort-sigs] Feodo Botnet

On Fri, 2014-01-24 at 11:36 +0100, Lukas Matt wrote:



Hi guys,



our sources are reporting heavy spam loads created by the Feodo Botnet.

A quick search on the rules produced no result.



Does guys (https://feodotracker.abuse.ch/blocklist.php?download=snort)

wrote already some IPS rules.



Will there be a update in future?



Regards,

Lukas



Nice work..thank you.

James

[Attachment #3 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Consolas;
	panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
pre
	{mso-style-priority:99;
	mso-style-link:"HTML Vorformatiert Zchn";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
span.HTMLVorformatiertZchn
	{mso-style-name:"HTML Vorformatiert Zchn";
	mso-style-priority:99;
	mso-style-link:"HTML Vorformatiert";
	font-family:Consolas;}
span.E-MailFormatvorlage19
	{mso-style-type:personal-reply;
	font-family:"Arial","sans-serif";
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-size:10.0pt;}
@page WordSection1
	{size:612.0pt 792.0pt;
	margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="DE" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Hi \
all,<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">malwaremustdie \
has additional details:<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">http[:// \
]malwaremustdie.blogspot[.]de/2013/01/cridex-fareit-infection-analysis.html?spref=tw&amp;m=1<o:p></o:p></span></p>
 <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">including \
this User-Agent<o:p></o:p></span></p> <p class="MsoNormal"><span lang="EN-US" \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">Mozilla/5.0 \
(Windows; U; MSIE 7.0; Windows NT 6.0; en-US<o:p></o:p></span></p> <p \
class="MsoNormal"><span \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;"><o:p>&nbsp;</o:p></span></p>
 <p class="MsoNormal"><span \
style="font-size:10.0pt;font-family:&quot;Arial&quot;,&quot;sans-serif&quot;">No FP \
so far.<o:p></o:p></span></p> <p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;">Von:</span></b><span \
style="font-size:10.0pt;font-family:&quot;Tahoma&quot;,&quot;sans-serif&quot;"> James \
Lay [mailto:jlay@slave-tothe-box.net] <br>
<b>Gesendet:</b> Freitag, 24. Januar 2014 12:59<br>
<b>An:</b> snort-sigs@lists.sourceforge.net<br>
<b>Betreff:</b> Re: [Snort-sigs] Feodo Botnet<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p>&nbsp;</o:p></p>
<p class="MsoNormal">On Fri, 2014-01-24 at 11:36 &#43;0100, Lukas Matt wrote: \
<o:p></o:p></p> <pre><o:p>&nbsp;</o:p></pre>
<pre>Hi guys,<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>our sources are reporting heavy spam loads created by the Feodo \
Botnet.<o:p></o:p></pre> <pre>A quick search on the rules produced no \
result.<o:p></o:p></pre> <pre><o:p>&nbsp;</o:p></pre>
<pre>Does guys (<a href="https://feodotracker.abuse.ch/blocklist.php?download=snort">https://feodotracker.abuse.ch/blocklist.php?download=snort</a>) \
<o:p></o:p></pre> <pre>wrote already some IPS rules.<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Will there be a update in future?<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<pre>Regards,<o:p></o:p></pre>
<pre>Lukas<o:p></o:p></pre>
<pre><o:p>&nbsp;</o:p></pre>
<p class="MsoNormal"><br>
Nice work..thank you.<br>
<br>
James <o:p></o:p></p>
</div>
</body>
</html>


[Attachment #4 (--===============1081822162250313576==)]
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today. 
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic