#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST"; http_method; content:"/frame.html?"; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009173; classtype:trojan-activity; sid:2009173; rev:5;)

Added 2011-11-11 17:39:38 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST"; http_method; content:"/frame.html?"; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009173; classtype:trojan-activity; sid:2009173; rev:5;)

Added 2011-10-12 19:26:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST"; http_method; content:"/frame.html?"; http_uri; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; sid:2009173; rev:5;)

Added 2011-09-14 22:40:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST"; http_method; content:"/frame.html?"; http_uri; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:5;)

Added 2011-03-12 13:00:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"/frame.html?"; http_uri; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:4;)

Added 2011-02-04 17:28:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;)

Added 2009-03-30 21:00:25 UTC

Sample: this machine was also triggering the "possible vundo download" sig so it seem a safe bet that it really is infected:

POST /frame.html?NyRTsZvgUukl6tNMI7Ar-MvLQBMR0jcmmC2nQqb5nh_lnFG8MD03c1UFcjMEBHMKMFglMQQxRg00NEIJMDJCAzQ1RiaNNkITMKh0UgI HTTP/1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) Wi nNT 5.1..Host: pancolp.com..Content-Length: 195..Cache-Contr ol: no-cache....NyRTsZvgUukl6tNMI7Ar-MvLQBMR0jcmmC2nQqb5nh_l nFG8MD03c1UFcjMEBHMKMFglMQQxRg00NEIJMDJCAzQ1RiaNNkITMKh0UgI- RTMOBGkyDgROKzU0QkZMRC5sRlEwAzQ0QgM0NEIDNDRCAzQ0QgM1NEIDNDRC? AzQ0QgM5JPYak4JnZiXq3vPLy738y8s?

-- RussellFulton - 20 Apr 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009173; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009173; rev:2;)

Added 2009-03-30 21:00:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; urilen: > 80; classtype:trojan-activity; sid:2009173; rev:1;)

Added 2009-03-30 11:45:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo Trojan Variant reporting to Controller"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/frame.html?"; urilen: > 80; classtype:trojan-activity; sid:2009173; rev:1;)

Added 2009-03-30 11:43:51 UTC


alert tcp $HOME_NET any -> [210.51.7.155,221.5.250.98,61.188.87.58,218.241.153.61,58.141.132.66,221.10.254.248,124.135.97.21,125.108.172.81] [$HTTP_PORTS,8000,4501,8005] (msg:"ET CURRENT_EVENTS Malware Communication with Control Servers (Possible GhostNet? Related Activity)"; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; classtype:trojan-activity; sid:2009173; rev:1;)

Added 2009-03-30 10:00:23 UTC


alert tcp $HOME_NET any -> [210.51.7.155,221.5.250.98,61.188.87.58,218.241.153.61,58.141.132.66,221.10.254.248,124.135.97.21,125.108.172.81] [$HTTP_PORTS,8000,4501,8005] (msg:"ET CURRENT_EVENTS Malware Communication with Control Servers (Possible GhostNet? Related Activity)"; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; classtype:trojan-activity; sid:2009173; rev:1;)

Added 2009-03-30 10:00:23 UTC


Topic revision: r2 - 2009-04-20 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats