#alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow:established,from_server; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:13; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:55:20 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:12;)

Added 2012-08-07 18:51:57 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:11;)

Added 2012-03-07 18:44:58 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:9;)

Added 2011-10-12 19:10:03 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"UPX0"; content:"UPX1"; content:"UPX!"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001046; sid:2001046; rev:9;)

Added 2011-09-15 14:46:28 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"UPX0"; content:"UPX1"; content:"UPX!"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001046; sid:2001046; rev:9;)

Added 2011-09-14 20:43:06 UTC


#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"UPX0"; content:"UPX1"; content:"UPX!"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid:2001046; rev:8;)

Added 2011-02-04 17:21:19 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY UPX packed file download"; flow:established,from_server; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; content:"UPX0"; distance:0; content:"UPX1"; content:"UPX!"; classtype:misc-activity; reference:url,upx.sourceforge.net/; reference:url,doc.emergingthreats.net/2001046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_UPX; sid:2001046; rev:8;)

Added 2010-08-10 14:38:51 UTC

This signature could potentially trigger false positives as a lot of the legit binaries are packed using UPX nowadays (e.g. firefox, sun java etc)

-- NlKiw - 10 Jan 2011


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY UPX packed file download"; flow:established,from_server; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; content:"UPX0"; distance:0; content:"UPX1"; content:"UPX!"; classtype:misc-activity; reference:url,upx.sourceforge.net/; reference:url,doc.emergingthreats.net/2001046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_UPX; sid:2001046; rev:8;)

Added 2010-08-10 14:38:51 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY UPX packed file download"; flow:established,from_server; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; content:"UPX0"; distance:0; content:"UPX1"; content:"UPX!"; classtype:misc-activity; reference:url,upx.sourceforge.net/; reference:url,doc.emergingthreats.net/2001046; sid:2001046; rev:7;)

Added 2010-08-04 13:46:10 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET POLICY UPX packed file download"; flow:established,from_server; content:"MZ"; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; isdataat:10,relative; content:"PE"; distance:0; content:"UPX0"; distance:0; content:"UPX1"; content:"UPX!"; classtype:misc-activity; reference:url,upx.sourceforge.net/; reference:url,doc.emergingthreats.net/2001046; sid:2001046; rev:7;)

Added 2010-08-04 13:46:10 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid:2001046; rev:6;)

Added 2010-06-28 22:46:58 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid:2001046; rev:6;)

Added 2010-06-28 22:46:58 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001046; rev:6;)

Added 2009-02-16 21:30:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/WORM_Suspicious_Extensions; sid: 2001046; rev:6;)

Added 2009-02-16 21:30:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype: misc-activity; sid: 2001046; rev:5;)

Added 2008-01-31 10:12:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WORM UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype: misc-activity; sid: 2001046; rev:5;)

Added 2008-01-31 10:12:24 UTC


alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE WORM UPX compressed file download - possible worm"; flow: established; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode."; distance: 0; isdataat: 10,relative; content:"PE"; distance: 0; content:"|00|UPX0|00|"; content:"|00|UPX1|00|"; content:"|00|UPX!|00|"; classtype: misc-activity; sid: 2001046; rev:4; )



Topic revision: r2 - 2011-01-10 - NlKiw
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats