alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Xilcter/Zeus related malware dropper reporting in"; flow:established,to_server; content:"subid="; http_uri; content:"br="; http_uri; content:"os="; http_uri; content:"flg="; http_uri; classtype:trojan-activity; sid:2011827; rev:2;)

Added 2011-10-12 19:32:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Xilcter/Zeus related malware dropper reporting in"; flow:established,to_server; content:"subid="; http_uri; content:"br="; http_uri; content:"os="; http_uri; content:"flg="; http_uri; classtype:trojan-activity; sid:2011827; rev:2;)

Added 2011-02-04 17:31:36 UTC

GET /message.php?subid=10093&br=IE_7.00&os=20&flg=0&id=0F1E5ECC12CC64D557311CE0F083C736&ad=&ver=_if18 HTTP/1.1
Host: 85D53CD2E9A97128870AA3815BE4BC79.co.cc
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Pragma: no-cache
GET /message.php?subid=10093&br=IE_7.00&os=20&flg=0&id=0F1E5ECC12CC64D557311CE0F083C736&ad=&ver=_if18 HTTP/1.1
Host: B1F82E3D98F735B2AE51BAD45F1D832C.co.cc
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Pragma: no-cache
GET /message.php?subid=10093&br=IE_7.00&os=20&flg=0&id=0F1E5ECC12CC64D557311CE0F083C736&ad=&ver=_if18 HTTP/1.1
Host: 10F98D1A10CC6B6547568864C813088C.co.cc
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Pragma: no-cache

-- JackPepper - 25 Apr 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus related malware dropper reporting in"; flow:established,to_server; uricontent:"subid="; uricontent:"br="; uricontent:"os="; uricontent:"flg="; classtype:trojan-activity; sid:2011827; rev:2;) </h2

Topic revision: r2 - 2011-04-25 - JackPepper
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats