#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Windows executable sent when remote host claims to send Javascript"; flow:established,from_server; content:"Content-Type|3a| application/"; http_header; content:"javascript|0d 0a|"; within:14; fast_pattern; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; classtype:trojan-activity; sid:2008367; rev:6;)

Added 2012-03-07 18:44:59 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; classtype:trojan-activity; sid:2008367; rev:4;)

Added 2011-10-12 19:24:59 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; sid:2008367; rev:4;)

Added 2011-09-14 22:38:26 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:4;)

Added 2011-02-04 17:27:32 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:4;)

Added 2009-09-14 17:00:37 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:4;)

Added 2009-09-14 17:00:37 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:4;)

Added 2009-09-14 16:59:37 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:4;)

Added 2009-09-14 16:59:37 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:"|0d 0a|Content-Type\: application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:3;)

Added 2009-02-08 17:30:23 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:"|0d 0a|Content-Type\: application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:3;)

Added 2009-02-08 17:30:23 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:"|0d 0a|Content-Type\: application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; sid:2008367; rev:2;)

Added 2008-07-07 09:38:10 UTC


alert tcp $EXTERNAL_NET 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:"|0d 0a|Content-Type\: application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; sid:2008367; rev:2;)

Added 2008-07-07 09:38:10 UTC


alert tcp any 20 -> $HOME_NET 25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established; content:"|0d 0a|Content-Type\: application/x-javascript"; content:"|0d 0a|MZ"; within: 15; classtype: trojan-activity; sid:2008367; rev:1;)

Added 2008-07-03 15:30:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; depth:4; uricontent:"?mail="; uricontent:"subject=Keylogger"; uricontent:"&body="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)"; nocase; classtype:trojan-activity; sid:2008367; rev:1;)

Added 2008-07-03 15:24:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET"; depth:4; uricontent:"?mail="; uricontent:"subject=Keylogger"; uricontent:"&body="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)"; nocase; classtype:trojan-activity; sid:2008367; rev:1;)

Added 2008-07-03 15:24:48 UTC


Topic revision: r1 - 2012-03-07 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats