alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"Mozilla/4.0 (compatible|3b 20|MSIE 7.0|3b|"; http_user_agent; depth:34; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:5; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2019_10_24;)

Added 2019-10-25 19:12:51 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_19;)

Added 2018-09-13 19:53:13 UTC


Added 2018-09-13 18:01:17 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:4; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_19;)

Added 2017-08-07 21:18:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:4;)

Added 2016-12-19 21:04:00 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?(?:[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+))+&r=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:4;)

Added 2016-12-19 21:00:12 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?[a-z]=(?:0\.\d{8}|1[A-Z0-9a-z]+)&[a-z]=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:3;)

Added 2016-12-12 17:15:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN JS/WSF Downloader Dec 08 2016"; flow:to_server,established; content:"GET"; http_method; content:"/counter/?"; http_uri; depth:10; fast_pattern; content:"0."; http_uri; content:"&r="; http_uri; content:"User-Agent|3a 20|Mozilla/4.0 (compatible|3b| MSIE 7.0|3b|"; http_header; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; pcre:"/^\/counter\/\?[a-z]=0\.\d{8}&[a-z]=\d+$/U"; classtype:trojan-activity; sid:2023594; rev:2;)

Added 2016-12-09 18:01:27 UTC


Topic revision: r1 - 2019-10-25 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats