#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Avatar RootKit? Yahoo Group Search"; flow:to_server,established; content:"/search?query="; http_uri; depth:14; pcre:"/^[A-Z0-9]{8}/UR"; content:"&sort=relevance"; within:15; http_uri; content:"groups.yahoo.com"; http_host; http_header_names; content:!"Referer|0d 0a|"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:3; metadata:created_at 2013_08_22, updated_at 2020_10_28;)

Added 2020-10-28 18:24:44 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Avatar RootKit? Yahoo Group Search"; flow:to_server,established; content:"/search?query="; http_uri; depth:14; content:"&sort=relevance"; distance:8; within:15; http_uri; content:"Host|3a 20|groups.yahoo.com|0d 0a|"; http_header; content:!"Referer|3a|"; pcre:"/^\/search\?query=[A-Z0-9]{8}&sort=relevance$/U"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:2; metadata:created_at 2013_08_22, updated_at 2013_08_22;)

Added 2018-09-13 19:47:34 UTC


Added 2018-09-13 17:57:58 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Possible Avatar RootKit? Yahoo Group Search"; flow:to_server,established; content:"/search?query="; http_uri; depth:14; content:"&sort=relevance"; distance:8; within:15; http_uri; content:"Host|3a 20|groups.yahoo.com|0d 0a|"; http_header; content:!"Referer|3a|"; pcre:"/^\/search\?query=[A-Z0-9]{8}&sort=relevance$/U"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:2; metadata:created_at 2013_08_22, updated_at 2013_08_22;)

Added 2017-08-07 21:11:15 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Avatar RootKit? Yahoo Group Search"; flow:to_server,established; content:"/search?query="; http_uri; depth:14; content:"&sort=relevance"; distance:8; within:15; http_uri; content:"Host|3a 20|groups.yahoo.com|0d 0a|"; http_header; content:!"Referer|3a|"; pcre:"/^\/search\?query=[A-Z0-9]{8}&sort=relevance$/U"; reference:md5,7b6409fc32c70908a9468eaac845bdaa; reference:md5,b647a4af77b2fad3f40c6769c22ebf74; reference:url,www.welivesecurity.com/2013/08/20/avatar-rootkit-the-continuing-saga/; classtype:trojan-activity; sid:2017368; rev:1;)

Added 2013-08-23 17:31:23 UTC


Topic revision: r1 - 2020-10-28 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats