[Emerging-Sigs] New fake AV signature
overlander7 at gmail.com
Thu Oct 14 16:04:21 EDT 2010
Came across some new malware which wasn't being detected by ET rules.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Fake AV CnC";
flow:established,to_server; content:"POST"; http_method;
content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri;
Detects this malware:
As well as the older variant (uses gbot_ string instead of g_):
After some google searches, I think the check for
"/cgi-bin/cycle_report.cgi?type=g" after the POST is unique enough that we
don't require PCRE.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs