alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; classtype:trojan-activity; sid:2008189; rev:5; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; classtype:trojan-activity; sid:2008189; rev:4;)

Added 2011-10-12 19:24:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:4;)

Added 2011-09-14 22:38:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; content:"?id="; nocase; http_uri; content:"&tick="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&smtp="; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:4;)

Added 2011-02-04 17:27:17 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:3;)

Added 2009-05-11 11:00:34 UTC

There can be false positives with this if users are doing queries to korea's v. of yahoo.

-- DanielClemens - 26 May 2009

machine tickling this sig was found to have this on it:

http://www.2-spyware.com/remove-additional-guard.html

-- RussellFulton - 05 Feb 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:3;)

Added 2009-05-11 11:00:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"alive.php?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; sid:2008189; rev:2;)

Added 2009-02-12 18:21:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"alive.php?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; sid:2008189; rev:2;)

Added 2009-02-12 18:21:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool?.Win32.Agent.gy Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"alive.php?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; sid:2008189; rev:1;)

Added 2008-05-06 18:19:57 UTC

sample:

GET /spm/s_alive.php?id=623470754747&tick=14663421&ver=231&smtp=bad HTTP/1.0

-- RussellFulton - 11 Dec 2008


Topic revision: r4 - 2010-02-05 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats