alert http $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Checkin via POST"; flow: to_server,established; content:"POST"; http_method; content:".php"; http_uri; nocase; content:"f="; http_client_body; content:"&a="; http_client_body; content:"&v="; http_client_body; content:"&c="; http_client_body; content:"&s="; http_client_body; content:"&l="; http_client_body; content:"&ck="; http_client_body; content:"&c_fb="; http_client_body; content:"&c_ms="; http_client_body; content:"&c_hi="; http_client_body; content:"&c_be="; http_client_body; content:"&c_fr="; http_client_body; content:"&c_yb="; http_client_body; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:trojan-activity; sid:2009156; rev:9; metadata:created_at 2010_09_28, updated_at 2010_09_28;)

Added 2017-08-07 21:02:18 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Checkin via POST"; flow: to_server,established; content:"POST"; http_method; content:".php"; http_uri; nocase; content:"f="; http_client_body; content:"&a="; http_client_body; content:"&v="; http_client_body; content:"&c="; http_client_body; content:"&s="; http_client_body; content:"&l="; http_client_body; content:"&ck="; http_client_body; content:"&c_fb="; http_client_body; content:"&c_ms="; http_client_body; content:"&c_hi="; http_client_body; content:"&c_be="; http_client_body; content:"&c_fr="; http_client_body; content:"&c_yb="; http_client_body; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; classtype:trojan-activity; sid:2009156; rev:8;)

Added 2011-10-12 19:26:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Checkin via POST"; flow: to_server,established; content:"POST"; http_method; content:".php"; http_uri; nocase; content:"f="; http_client_body; content:"&a="; http_client_body; content:"&v="; http_client_body; content:"&c="; http_client_body; content:"&s="; http_client_body; content:"&l="; http_client_body; content:"&ck="; http_client_body; content:"&c_fb="; http_client_body; content:"&c_ms="; http_client_body; content:"&c_hi="; http_client_body; content:"&c_be="; http_client_body; content:"&c_fr="; http_client_body; content:"&c_yb="; http_client_body; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; sid:2009156; rev:8;)

Added 2011-09-14 22:40:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Checkin via POST"; flow: to_server,established; content:"POST"; http_method; content:".php"; http_uri; nocase; content:"f="; http_client_body; content:"&a="; http_client_body; content:"&v="; http_client_body; content:"&c="; http_client_body; content:"&s="; http_client_body; content:"&l="; http_client_body; content:"&ck="; http_client_body; content:"&c_fb="; http_client_body; content:"&c_ms="; http_client_body; content:"&c_hi="; http_client_body; content:"&c_be="; http_client_body; content:"&c_fr="; http_client_body; content:"&c_yb="; http_client_body; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2009156; rev:8;)

Added 2011-02-04 17:28:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Checkin via POST"; flow: to_server,established; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|"; content:"f="; distance:0; content:"&a="; distance:0; content:"&v="; distance:0; content:"&c="; distance:0; content:"&s="; distance:0; content:"&l="; distance:0; content:"&ck="; distance:0; content:"&c_fb="; distance:0; content:"&c_ms="; distance:0; content:"&c_hi="; distance:0; content:"&c_be="; distance:0; content:"&c_fr="; distance:0; content:"&c_yb="; distance:0; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2009156; rev:5;)

Added 2010-08-05 10:01:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface Checkin via POST"; flow: to_server,established; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|"; content:"f="; distance:0; content:"&a="; distance:0; content:"&v="; distance:0; content:"&c="; distance:0; content:"&s="; distance:0; content:"&l="; distance:0; content:"&ck="; distance:0; content:"&c_fb="; distance:0; content:"&c_ms="; distance:0; content:"&c_hi="; distance:0; content:"&c_be="; distance:0; content:"&c_fr="; distance:0; content:"&c_yb="; distance:0; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2009156; rev:5;)

Added 2010-08-05 10:01:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Dropper Checkin"; flow: to_server,established; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|"; content:"f="; distance:0; content:"&a="; distance:0; content:"&v="; distance:0; content:"&c="; distance:0; content:"&s="; distance:0; content:"&l="; distance:0; content:"&ck="; distance:0; content:"&c_fb="; distance:0; content:"&c_ms="; distance:0; content:"&c_hi="; distance:0; content:"&c_be="; distance:0; content:"&c_fr="; distance:0; content:"&c_yb="; distance:0; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2009156; rev:4;)

Added 2009-05-11 20:45:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Dropper Checkin"; flow: to_server,established; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|"; content:"f="; distance:0; content:"&a="; distance:0; content:"&v="; distance:0; content:"&c="; distance:0; content:"&s="; distance:0; content:"&l="; distance:0; content:"&ck="; distance:0; content:"&c_fb="; distance:0; content:"&c_ms="; distance:0; content:"&c_hi="; distance:0; content:"&c_be="; distance:0; content:"&c_fr="; distance:0; content:"&c_yb="; distance:0; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2009156; rev:4;)

Added 2009-05-11 20:45:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Dropper Checkin"; flow: to_server,established; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|"; content:"f="; distance:0; content:"&a="; distance:0; content:"&v="; distance:0; content:"&c="; distance:0; content:"&s="; distance:0; content:"&l="; distance:0; content:"&ck="; distance:0; content:"&c_fb="; distance:0; content:"&c_ms="; distance:0; content:"&c_hi="; distance:0; content:"&c_be="; distance:0; content:"&c_fr="; distance:0; content:"&c_yb="; distance:0; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2009156; rev:3;)

Added 2009-03-23 19:06:07 UTC

Looks like Koobface.

-- CharlesConn - 27 Apr 2009


Topic revision: r2 - 2009-04-27 - CharlesConn
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats