alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid="; http_uri; urilen: > 80; reference:url,doc.emergingthreats.net/2009174; classtype:trojan-activity; sid:2009174; rev:4;)

Added 2011-10-12 19:26:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid="; http_uri; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009174; sid:2009174; rev:4;)

Added 2011-09-14 22:40:09 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"/dwn/d.html?sid="; http_uri; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009174; rev:4;)

Added 2011-02-04 17:28:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/dwn/d.html?sid="; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009174; rev:2;)

Added 2009-03-30 21:00:25 UTC

Sample. This machine also triggered other vudo related sigs. I'm pretty confident this is for real

GET /dwn/d.html?sid=RB2tTyALqE93CP4ZdAT6T3EMpkgmWfsZdF6mSyQF rkknW51adAz9SCRb_050DfobdAz7H3wMqxx0CqdOcwT5HCNb_RxGO65NfQmp Q0E3rkhxDa5Jdg2mSkA5rEp1DJl4dAmYfilarUpNNKZLdA?_mSHULrw HTTP/ 1.1..User-Agent: Mozilla/4.0 (compatible; MSIE 6.0) WinNT? 5. 1..Host: 82.98.235.205..Cache-Control: no-cache....

-- RussellFulton - 20 Apr 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/dwn/d.html?sid="; urilen: > 80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009174; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Vundo; sid:2009174; rev:2;)

Added 2009-03-30 21:00:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Vundo EXE Download Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/dwn/d.html?sid="; urilen: > 80; classtype:trojan-activity; sid:2009174; rev:1;)

Added 2009-03-30 10:00:23 UTC


Topic revision: r2 - 2009-04-20 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats