alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Mydoom.O@mm HTTP Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"&kgs=0&kls=0&nbq="; classtype:trojan-activity; sid:2008844; rev:1;)
Added 2008-12-03 17:49:56 UTC
This seems to go off for www.altavista.com requests which point to a yahoo DNS entry. 72.30.186.25 is the host I got
GET /web/results/?q=query.&kgs=0&kls=0&nbq=25&stq=50
The uricontent parameters align with the default search terms.
--
ChrisGreen - 08 Jan 2009
Thanks for the report. I've removed the sig. There's no real better way to put it, and the trojan is faded away anyway. Thanks for the report!!
--
MattJonkman - 09 Jan 2009