[Emerging-Sigs] new storm binary or maybe only new file name
Markus Lude
markus.lude at gmx.de
Sun Feb 10 20:19:17 EST 2008
Hi,
looks like since a few days storm binaries have changed the name to
valentine.exe. Maybe add a rule to current events?
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)"; flow:established,to_server; uricontent:"/valentine.exe"; nocase; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/; sid:???; rev:1;)
Regards,
Markus
(looked through his spam folder of the last week...)
More information about the Emerging-sigs
mailing list