EmergingThreats> Main Web>2006382 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Matcash or related downloader User-Agent Detected"; flow:established,to_server; content:"User-Agent\: x"; pcre:"/x\w\wx\w\w\!x\w\wx\w\wx\w\w/"; classtype:trojan-activity; reference:url,doc.bleedingthreats.net/2006382; sid:2006382; rev:1;)

Added 2007-07-09 02:59:49 UTC

Seeing hits like so:

GET http://dl.mcboo.com/z/a8f5a020e4b833865a1034489887c8b9.zip User-Agent: xefx16!xd0xf2x91xedx11G

This ought to catch it

-- MattJonkman - 09 Jul 2007


Edit | Attach | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2007-07-09 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats