alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"p="; distance:0; content:!"spf2.0/"; content:!"spf1"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013935; rev:8; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2011_11_21, performance_impact Low, updated_at 2018_03_05;)

Added 2018-03-09 18:34:15 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; content:!"spf1"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; metadata: former_category TROJAN; classtype:trojan-activity; sid:2013935; rev:7; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_and_Server, deployment Perimeter, signature_severity Major, created_at 2011_11_21, performance_impact Low, updated_at 2018_03_05;)

Added 2018-03-05 16:19:12 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:trojan-activity; sid:2013935; rev:6; metadata:created_at 2011_11_21, updated_at 2011_11_21;)

Added 2017-08-07 21:07:14 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:trojan-activity; sid:2013935; rev:6;)

Added 2016-05-09 17:18:53 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; content:!"|7c|"; distance:0; classtype:trojan-activity; sid:2013935; rev:5;)

Added 2015-09-01 19:02:24 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; classtype:trojan-activity; sid:2013935; rev:4;)

Added 2014-11-13 22:18:28 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; classtype:trojan-activity; sid:2013935; rev:3;)

Added 2014-10-16 13:51:50 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"spf"; distance:0; classtype:trojan-activity; sid:2013935; rev:2;)

Added 2011-11-28 17:47:28 UTC

FP on domainkey query responses. Like "dig ecos4._domainkey.mail.pizzaexpress.com TXT"

-- StephaneChazelas - 2013-11-11


Topic revision: r2 - 2013-11-11 - StephaneChazelas
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats