alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Kwampirs Outbound GET request"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:>21; content:"?q=KT"; http_uri; fast_pattern; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept"; http_header; content:"User-Agent|3a 20|Mozilla/"; http_header; depth:20; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a/H"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:4; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2019_10_07;)

Added 2019-10-08 19:34:42 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Kwampirs Outbound GET request"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:>21; content:"?q=KT"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept"; http_header; content:"User-Agent|3a 20|Mozilla/"; http_header; depth:20; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a/H"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_09;)

Added 2018-09-13 19:53:13 UTC


Added 2018-09-13 18:01:17 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Kwampirs Outbound GET request"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:>21; content:"?q=KT"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept"; http_header; content:"User-Agent|3a 20|Mozilla/"; http_header; depth:20; pcre:"/\.(?:aspx?|php)\?q=(?=KT)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a/H"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:3; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_09;)

Added 2017-09-25 17:52:29 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Kwampirs Outbound GET request"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:>65; content:"?q=K"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept"; http_header; content:"User-Agent|3a 20|Mozilla/"; http_header; depth:20; pcre:"/\.(?:aspx?|php)\?q=(?=K)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a/H"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:2; metadata:attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2016_12_09, malware_family Trojan_Kwampirs, performance_impact Low, updated_at 2016_12_09;)

Added 2017-08-07 21:18:46 UTC


alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Kwampirs Outbound GET request"; flow:to_server,established; content:"GET"; nocase; http_method; urilen:>65; content:"?q=K"; http_uri; fast_pattern:only; content:!"Referer|3a|"; http_header; content:!"Cookie|3a|"; content:!"Accept"; http_header; content:"User-Agent|3a 20|Mozilla/"; http_header; depth:20; pcre:"/\.(?:aspx?|php)\?q=(?=K)(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/U"; pcre:"/^User-Agent\x3a\x20[^\r\n]+\r\nHost\x3a/H"; reference:md5,1f1b5c16bbb62387fdf53e524a382006; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2016-081923-2700-99&tabid=2; classtype:trojan-activity; sid:2023595; rev:2;)

Added 2016-12-09 18:01:27 UTC


Topic revision: r1 - 2019-10-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats