[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    [Snort-sigs] New rule offered for detecting Gameover a new ZeuS variant over smtp
From:       rmkml <rmkml () yahoo ! fr>
Date:       2014-02-12 20:59:53
Message-ID: alpine.LFD.2.03.1402122150230.2394 () yahoo ! fr
[Download RAW message or body]

Hi,

A new ZeuS variant, known as Gameover, send messages with a .zip contain .enc file.

Please check if it's interesting :

alert tcp any any -> any 25 (msg:"SMTP Zip file contains Encrypted (.enc) possible \
GameOver ZeuS variant attempt"; flow:to_server,established; content:".zip"; \
pcre:"/^[\'\"]*\s*\r?\n/R"; file_data; content:"PK|03 04|"; within:4; distance:0; \
content:".enc"; within:50; distance:26; \
pcre:"/^PK\x03\x04.{26}[a-zA-Z0-9\-\_]+\.enc/s"; classtype:attempted-user; sid:1; \
rev:1;)

Please check all variables before use.

All comments/feebacks are welcome.

Regards
@Rmkml

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


[prev in list] [next in list] [prev in thread] [next in thread]