Main Webalert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; classtype:trojan-activity; sid:2008189; rev:4;) Added 2011-10-12 19:24:37 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:4;) Added 2011-09-14 22:38:04 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:4;) Added 2011-02-04 17:27:17 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:3;) Added 2009-05-11 11:00:34 UTC There can be false positives with this if users are doing queries to korea's v. of yahoo. -- DanielClemens - 26 May 2009 machine tickling this sig was found to have this on it: http://www.2-spyware.com/remove-additional-guard.html -- RussellFulton - 05 Feb 2010
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:3;) Added 2009-05-11 11:00:34 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"alive.php?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; sid:2008189; rev:2;) Added 2009-02-12 18:21:16 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"alive.php?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; sid:2008189; rev:2;) Added 2009-02-12 18:21:16 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"alive.php?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; sid:2008189; rev:1;) Added 2008-05-06 18:19:57 UTC sample: GET /spm/s_alive.php?id=623470754747&tick=14663421&ver=231&smtp=bad HTTP/1.0 -- RussellFulton - 11 Dec 2008
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback