alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:32,20; http_user_agent; pcre:"/Host\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/H"; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:6; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_12_10;)

Added 2020-12-11 18:27:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:32,20; http_user_agent; pcre:"/Host\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/H"; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:6; metadata:created_at 2013_03_04, former_category MALWARE, updated_at 2020_04_29;)

Added 2020-08-05 19:08:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:32,20; http_user_agent; pcre:"/Host\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/H"; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; metadata: former_category MALWARE; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:6; metadata:created_at 2013_03_04, updated_at 2020_04_29;)

Added 2020-04-30 19:07:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:32,20; http_user_agent; pcre:"/Host\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/H"; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; metadata: former_category MALWARE; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:6; metadata:created_at 2013_03_04, updated_at 2020_04_29;)

Added 2020-04-29 19:34:23 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:32,20; http_user_agent; pcre:"/Host\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/H"; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; metadata: former_category MALWARE; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:6; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

Added 2019-09-19 19:25:55 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:32,20; http_user_agent; pcre:"/Host\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/H"; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:6; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

Added 2018-09-13 19:46:31 UTC


Added 2018-09-13 17:57:24 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:32,20; http_user_agent; pcre:"/Host\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/H"; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:6; metadata:created_at 2013_03_04, updated_at 2013_03_04;)

Added 2017-08-07 21:10:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; fast_pattern:30,20; pcre:"/\r\nHost\x3a[^\r\n\x3a]+?\x3a\d{1,5}\r\n/"; pcre:"/^POST \x2F[a-f0-9]{40,60}\x20/i"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:4;)

Added 2014-05-06 16:34:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Asprox CnC? Beacon"; flow:established,to_server; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0b|3B| Windows NT 5.0|3B| .NET CLR"; http_header; fast_pattern:44,20; content:"|3A|8080|0D 0A|"; http_header; pcre:"/^\x2F[a-f0-9]{40,60}$/Ui"; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-asprox-reborn.pdf; classtype:trojan-activity; sid:2016528; rev:2;)

Added 2013-03-04 21:43:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit KIt seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form|0d 0a|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:2;)

Added 2012-08-20 18:42:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"|00 00|"; offset:9; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2016528; rev:2;)

Added 2012-08-15 18:25:23 UTC


Topic revision: r1 - 2020-12-11 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats