alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Zeus P2P? Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url,blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, former_category MALWARE, updated_at 2014_07_11;)

Added 2021-09-09 17:40:22 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Zeus P2P? Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url, blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)

Added 2018-09-13 19:48:57 UTC


Added 2018-09-13 17:58:47 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Zeus P2P? Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url, blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4; metadata:created_at 2014_07_11, updated_at 2014_07_11;)

Added 2017-08-07 21:12:47 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Possible Zeus P2P? Variant DGA NXDOMAIN Responses July 11 2014"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"|00 01 00 00 00 01|"; offset:4; depth:6; pcre:"/^..[\x0d-\x20](?=\d{0,27}[a-z])(?=[a-z]{0,27}\d)[a-z0-9]{21,28}(?:\x03(?:biz|com|net|org))\x00\x00\x01\x00\x01/Rs"; threshold: type both, track by_dst, count 12, seconds 120; reference:url, blog.malcovery.com/blog/breaking-gameover-zeus-returns; reference:md5,5e5e46145409fb4a5c8a004217eef836; classtype:trojan-activity; sid:2018666; rev:4;)

Added 2014-07-11 18:59:39 UTC


Topic revision: r1 - 2021-09-09 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats