alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent|3a| "; http_header; nocase; content:!"Referer|3a| "; nocase; http_header; content:"current_version="; http_client_body; pcre:"/current_version=[a-z0-9]{196}/Pi"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:8;)

Added 2013-05-02 22:17:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent|3a| "; http_header; nocase; content:!"Referer|3a| "; nocase; http_header; content:"current_version="; http_client_body; pcre:"/current_version=[a-z0-9]{196,}/Pi"; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; classtype:trojan-activity; sid:2010512; rev:7;)

Added 2011-10-12 19:29:56 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent|3a| "; http_header; nocase; content:!"Referer|3a| "; nocase; http_header; content:"current_version="; http_client_body; pcre:"/current_version=[a-z0-9]{196,}/Pi"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; sid:2010512; rev:7;)

Added 2011-09-14 22:43:08 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"User-Agent|3a| "; http_header; nocase; content:!"Referer|3a| "; nocase; http_header; content:"current_version="; http_client_body; pcre:"/current_version=[a-z0-9]{196,}/Pi"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010512; rev:7;)

Added 2011-02-04 17:30:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|User-Agent\: "; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a 0d 0a|current_version="; pcre:"/current_version=[a-z0-9]{196,}/i"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010512; rev:4;)

Added 2009-12-23 18:30:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|User-Agent\: "; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a 0d 0a|current_version="; pcre:"/current_version=[a-z0-9]{196,}/i"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010512; rev:4;)

Added 2009-12-23 18:30:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|User-Agent\: "; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a 0d 0a|current_version="; pcre:"/current_version=[a-z0-9]{196,}/i"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768 reference:url,doc.emergingthreats.net/2010512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010512; rev:3;)

Added 2009-12-21 23:52:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|User-Agent\: "; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a 0d 0a|current_version="; pcre:"/current_version=[a-z0-9]{196,}/i"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768 reference:url,doc.emergingthreats.net/2010512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010512; rev:3;)

Added 2009-12-21 23:52:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|User-Agent\:"; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a 0d 0a|current_version="; pcre:"/current_version=[a-z0-9]{196,}/i"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768 reference:url,doc.emergingthreats.net/2010512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010512; rev:2;)

Added 2009-12-20 12:45:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? FakeSmoke? HTTP POST check-in"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|User-Agent\:"; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a 0d 0a|current_version="; pcre:"/current_version=[a-z0-9]{196,}/i"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768 reference:url,doc.emergingthreats.net/2010512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010512; rev:2;)

Added 2009-12-20 12:44:49 UTC


Topic revision: r1 - 2013-05-03 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats