alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; classtype:trojan-activity; sid:2001999; rev:8;)

Added 2011-10-12 19:11:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; classtype: trojan-activity; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; sid:2001999; rev:8;)

Added 2011-09-14 21:11:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; content:"/a/Drk.syn?"; nocase; http_uri; content:"adcontext="; nocase; http_uri; classtype: trojan-activity; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid:2001999; rev:8;)

Added 2011-02-04 17:21:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid:2001999; rev:7;)

Added 2010-06-23 13:46:05 UTC

GET /a/Drk.syn?bho=aurora.exe&InstID={CC977BCA-B2A6-41AD-A177-0F53B041B709}&DistID=1|906|0|0|THNALL~1.EXE&countrycodein=US&lastAdTime=1162995904||1151526015|||||1145910239||&lastAdCode=1&NumWindows=0&VSN=3CDF5E5B&MA=000103BBDDF0&HN=IBT17_7&PI=55274-OEM-0048504-44616&budver=2000108&status=1&adcontext=ROUTINE_CHECKIN&TM=-1&ads5m=0&ads1h=0&ads24h=0&adsClkh=30&ads7d=20&tmsys=5l5cojatax&tmac=5l5coqataq&act1h=0&act24h=Z162a40302aZ04283e56&actClkh=3Z0ehbh09a66b964db82e666&act7d=20&smode=9&cookie1=capdate%3D089%26capdatedy%3D1108%26capcntdy%3D1%26capcnt%3D1%26lupgtry%3D1%26lflshdt%3D1121089794%26lupgdt%3D1171938358424%26lupgid%3D0%26lstlogdt%3D20071010%26cntp%3Dnull%26&cookie2=rcntr%3D1%26rtmr%3D312%26fstcidt%3D1121089794911%26&cookie3=1-1140558311-18229:70044:17427:18000-87780:582581&cookie4=1&event=0&inststat=axed HTTP/1.1
User-Agent: {CC977BCA-B2A6-41AD-A177-0F53B041B709}|0.21.5.114
Host: btg.btgrab.com
Cookie: parkinglot=1

-- JackPepper - 23 Sep 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid:2001999; rev:7;)

Added 2010-06-23 13:46:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid: 2001999; rev:7;)

Added 2009-11-18 15:30:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid: 2001999; rev:7;)

Added 2009-11-18 15:30:39 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid: 2001999; rev:6;)

Added 2009-02-08 17:15:23 UTC

The adcontext= param isn't always first, leading to false negatives

-- JustinAzoff - 18 Nov 2009

Fix made, posting momentarily. Thanks Justin!

-- MattJonkman - 18 Nov 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid: 2001999; rev:6;)

Added 2009-02-08 17:15:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; sid: 2001999; rev:5;)

Added 2008-01-28 17:24:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; sid: 2001999; rev:5;)

Added 2008-01-28 17:24:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; sid: 2001999; rev:4; )



Topic revision: r4 - 2010-09-23 - JackPepper
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats