[Emerging-Sigs] new storm binary or maybe only new file name
Matt Jonkman
jonkman at jonkmans.com
Sun Feb 10 21:17:34 EST 2008
Nice catch Markus, and a good idea. I've added 2007835.
Matt
Markus Lude wrote:
> Hi,
> looks like since a few days storm binaries have changed the name to
> valentine.exe. Maybe add a rule to current events?
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT EVENTS Likely Storm Binary Requested (valentine.exe)"; flow:established,to_server; uricontent:"/valentine.exe"; nocase; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2008/01/storm-loves-you-new-campaign-valentines-day-theme/; sid:???; rev:1;)
>
> Regards,
> Markus
> (looked through his spam folder of the last week...)
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list