EmergingThreats> Main Web>2012871 (2011-11-23, MrKrugger?) EditAttach

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:4; metadata:created_at 2011_05_27, updated_at 2011_05_27;)

Added 2017-08-07 21:06:04 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:4;)

Added 2015-01-14 16:59:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi posting form data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:3;)

Added 2012-03-20 17:59:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi posting form data"; flow:established,to_server; content:"POST"; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:2;)

Added 2011-10-12 19:35:25 UTC

Detects Gozi like communication pattern. Trigger: Content-Disposition: form-data; name="upload_file"; filename="2439825354.1394622"

2007 research on Gozi: http://www.secureworks.com/research/threats/gozi/

More recent versions use other URLs to submit data.

-- MrKrugger? - 23 Nov 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi posting form data"; flow:established,to_server; content:"POST"; http_method; content:"name=\"upload_file\""; http_client_body; content:"URL|3a|"; http_client_body; classtype:trojan-activity; sid:2012871; rev:2;)

Added 2011-05-26 22:27:21 UTC


Topic revision: r2 - 2011-11-23 - MrKrugger?
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats