alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; fast_pattern; content:" HTTP"; distance:1; within:5; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; pcre:"/GET \/1\/\?\w HTTP\/1\.1\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a .+?(\x3a(443|8080|900[0-9]))?\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:2;)

Added 2012-12-03 21:50:52 UTC


Topic revision: r1 - 2012-12-04 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats