alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"BLEEDING-EDGE TROJAN Win32.Pakes Post Parameters Dected (X-BI, X-TM)"; flow:established,to_server; dsize:<200; content:"GET "; depth:4; content:"|0d 0a|X-Flags\: "; content:"|0d 0a|X-TM\: "; distance:0; content:"|0d 0a|X-BI\: "; distance:0; content:!"User-Agent\: "; nocase; classtype:trojan-activity; sid:2007662; rev:1;)

Added 2007-11-05 00:32:22 UTC

Post on a high port, looks like so:

 


0000   47 45 54 20 2f 67 2f 37 31 41 36 41 45 2d 37 45  GET /g/71A6AE-7E
0010   44 37 39 36 2d 32 34 30 30 44 36 20 48 54 54 50  D796-2400D6 HTTP
0020   2f 31 2e 31 0d 0a 48 6f 73 74 3a 20 32 30 38 2e  /1.1..Host: 208.
0030   37 32 2e 31 36 39 2e 31 35 34 0d 0a 58 2d 46 6c  72.169.154..X-Fl
0040   61 67 73 3a 20 30 0d 0a 58 2d 54 4d 3a 20 33 32  ags: 0..X-TM: 32
0050   0d 0a 58 2d 42 49 3a 20 43 33 43 44 43 35 44 38  ..X-BI: C3CDC5D8
0060   39 39 44 36 43 33 43 45 39 38 0d 0a 0d 0a        99D6C3CE98....

Server returns an executable.

Please report any load or FP issues.

Matt

-- MattJonkman - 05 Nov 2007


Topic revision: r2 - 2007-11-05 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats