alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.Win32.Agent.bwr"; flow:established,to_server; uricontent:"?m="; nocase; uricontent:"&a="; nocase; uricontent:"&hdd="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; sid:2006374; rev:1;)

Added 2007-07-06 14:11:25 UTC

URLs like this being seen in the sandnet:

http://66.246.252.213/s_55_3232235808?m=3&a=1&hdd=4457572d3454363830303335313520302020202003&os=940000000500000001000000280a00000200000053657276696365205061636b2032

Content is just hex. This sig should get it.

-- MattJonkman - 06 Jul 2007


Topic revision: r2 - 2007-07-06 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats