#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; content:"/stat.htm?id="; nocase; http_uri; content:"&agt="; nocase; http_uri; content:"&r=http"; http_uri; nocase; content:"&OS="; nocase; http_uri; content:"&ntime="; nocase; http_uri; content:"&rtime="; nocase; http_uri; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; reference:url,doc.emergingthreats.net/2008275; classtype:trojan-activity; sid:2008275; rev:4;)

Added 2011-10-12 19:24:48 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; content:"/stat.htm?id="; nocase; http_uri; content:"&agt="; nocase; http_uri; content:"&r=http"; http_uri; nocase; content:"&OS="; nocase; http_uri; content:"&ntime="; nocase; http_uri; content:"&rtime="; nocase; http_uri;classtype:trojan-activity; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; reference:url,doc.emergingthreats.net/2008275; sid:2008275; rev:4;)

Added 2011-09-14 22:38:15 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; content:"/stat.htm?id="; nocase; http_uri; content:"&agt="; nocase; http_uri; content:"&r=http"; http_uri; nocase; content:"&OS="; nocase; http_uri; content:"&ntime="; nocase; http_uri; content:"&rtime="; nocase; http_uri;classtype:trojan-activity; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; reference:url,doc.emergingthreats.net/2008275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hitpop; sid:2008275; rev:4;)

Added 2011-02-04 17:27:23 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; uricontent:"/stat.htm?id="; nocase; uricontent:"&agt="; nocase; uricontent:"&r=http"; nocase; uricontent:"&OS="; nocase; uricontent:"&ntime="; nocase; uricontent:"&rtime="; nocase; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hitpop; sid:2008275; rev:3;)

Added 2009-02-12 18:21:17 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; uricontent:"/stat.htm?id="; nocase; uricontent:"&agt="; nocase; uricontent:"&r=http"; nocase; uricontent:"&OS="; nocase; uricontent:"&ntime="; nocase; uricontent:"&rtime="; nocase; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hitpop; sid:2008275; rev:3;)

Added 2009-02-12 18:21:17 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; uricontent:"/stat.htm?id="; nocase; uricontent:"&agt="; nocase; uricontent:"&r=http"; nocase; uricontent:"&OS="; nocase; uricontent:"&ntime="; nocase; uricontent:"&rtime="; nocase; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; classtype:trojan-activity; sid:2008275; rev:2;)

Added 2008-06-10 05:49:42 UTC

How does this rule reflect what's documented in Arbor's documentation? I fail to see any.

-- TomBicer - 10 Jun 2008

The arbor docs are general about the trojan. There isn't anything more specific that we're aware of. The rule was made from sandnet captures.

-- MattJonkman - 12 Jun 2008


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; uricontent:"/stat.htm?id="; nocase; uricontent:"&agt="; nocase; uricontent:"&r=http"; nocase; uricontent:"&OS="; nocase; uricontent:"&ntime="; nocase; uricontent:"&rtime="; nocase; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; classtype:trojan-activity; sid:2008275; rev:2;)

Added 2008-06-10 05:49:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; uricontent:"/stat.htm?id="; nocase; uricontent:"&agt="; nocase; uricontent:"&r=http"; nocase; uricontent:"&OS="; nocase; uricontent:"&ntime="; nocase; uricontent:"&rtime="; nocase; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; classtype:trojan-activity; sid:2008275; rev:2;)

Added 2008-05-31 10:19:57 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; uricontent:"/stat.htm?id="; nocase; uricontent:"&agt="; nocase; uricontent:"&r=http"; nocase; uricontent:"&OS="; nocase; uricontent:"&ntime="; nocase; uricontent:"&rtime="; nocase; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; classtype:trojan-activity; sid:2008275; rev:2;)

Added 2008-05-31 10:19:57 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; uricontent:"/stat.htm?id="; nocase; uricontent:"&agt="; nocase; uricontent:"&r=http"; nocase; uricontent:"&OS="; nocase; uricontent:"&ntime="; nocase; uricontent:"&rtime="; nocase; classtype:trojan-activity; sid:2008275; rev:1;)

Added 2008-05-30 08:07:25 UTC


Topic revision: r3 - 2008-06-12 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats