alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:11; metadata:created_at 2010_12_22, updated_at 2010_12_22;)

Added 2017-08-07 21:06:04 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:11;)

Added 2014-04-14 19:22:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Accept-Language|3a| zh-zh"; http_header; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:10;)

Added 2012-03-19 23:39:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; content:"POST"; http_method; content:"Accept-Language|3a| zh-zh"; http_header; content:"GIF89a|50 00 00 00|"; http_client_body; depth:10; fast_pattern; content:"|0A|Content-Length|3A| 90|0D 0A|"; http_header; pcre:"/^\/[A-Z]{1}[0-9]{1,3}\/[A-X]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/[A-Z]{1}[0-9]{4,5}[A-M]{1}[0-9]{1,2}[A-Z]{1}[0-9]{1,2}\/$/Um"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:9;)

Added 2011-11-11 17:39:39 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; dsize:<500; content:"POST"; http_method; content:"GIF89a"; depth:6; http_client_body; pcre:"/\/[A-Z}\d{1,3}\/[A-Z]\d+/U"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:7;)

Added 2011-11-04 18:07:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; dsize:<500; content:"POST"; http_method; content:"GIF89a"; depth:6; http_client_body; pcre:"/\/[A-Z}\d{1,3}\/[A-Z]\d+/U"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:6;)

Added 2011-11-03 17:33:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; dsize:<500; content:"POST"; http_method; content:"|0d 0a 0d 0a|GIF89a"; pcre:"/\/[A-Z}\d{1,3}\/[A-Z]\d+/U"; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; classtype:trojan-activity; sid:2012865; rev:5;)

Added 2011-10-12 19:35:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vinself Backdoor Checkin"; flow:established,to_server; dsize:<500; content:"POST"; http_method; content:"|0d 0a 0d 0a|GIF89a"; pcre:"/\/[A-Z}\d{1,3}\/[A-Z]\d+/U"; classtype:trojan-activity; reference:url,blog.fireeye.com/research/2010/11/winself-a-new-backdoor-in-town.html; sid:2012865; rev:5;)

Added 2011-05-26 22:27:20 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats