alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18 2015"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern; pcre:"/ms-?office/V"; content:!".money-media.com"; http_host; content:!"ad.payclick.it"; http_host; content:!"sellercore.com"; http_host; metadata: former_category TROJAN; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:7; metadata:created_at 2015_08_18, updated_at 2017_12_07;)

Added 2017-12-07 16:36:01 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\x0d\x0a]+?ms-?office/Hmi"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:6; metadata:created_at 2015_08_18, updated_at 2015_08_18;)

Added 2017-08-07 21:16:25 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\x0d\x0a]+?ms-?office/Hmi"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:6;)

Added 2015-11-20 17:44:08 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+((?:&data=|&bid=)[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern:only; pcre:"/^User-Agent\x3a\x20[^\x0d\x0a]+?ms-?office/Hmi"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:6;)

Added 2015-10-20 18:40:03 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+(?:&data=[^&]*?)?$/U";content:"office"; http_user_agent; nocase; fast_pattern:only; pcre:"/ms-?office/Vi"; content:!".money-media.com|0d 0a|"; nocase; http_header; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:5;)

Added 2015-08-20 18:07:34 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/\/im(?:g\.(?:jpg|php)|age\.php)\?id=\d+(?:&data=[^&]*?)?$/U";content:"office"; http_user_agent; nocase; fast_pattern:only; pcre:"/ms-?office/Vi"; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:4;)

Added 2015-08-19 19:00:26 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/im[^\x3f]*\?id=\d+(?:&data=[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern:only; pcre:"/ms-?office/Vi"; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:3;)

Added 2015-08-18 19:40:28 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/im[^\x3f]*\?id=\d+(?:&data=[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern:only; pcre:"/ms-?office/Vi"; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:3;)

Added 2015-08-18 19:30:36 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN MWI Maldoc Stats Callout Aug 18"; flow:established,to_server; content:"/im"; http_uri; content:"?id="; http_uri; pcre:"/im[^\x3f]*\?id=\d+(?:&data=[^&]*?)?$/U"; content:"office"; http_user_agent; nocase; fast_pattern:only; pcre:"/ms-?office/Vi"; reference:md5,2c9f2a84a346e29c3b262ca1d2d2f123; classtype:trojan-activity; sid:2021690; rev:3;)

Added 2015-08-18 19:18:40 UTC


Topic revision: r1 - 2017-12-07 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats