[Emerging-Sigs] New fake AV signature

Charles Conn overlander7 at gmail.com
Thu Oct 14 16:04:21 EDT 2010


Came across some new malware which wasn't being detected by ET rules.

This rule:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Fake AV CnC";
flow:established,to_server; content:"POST"; http_method;
content:"/cgi-bin/cycle_report.cgi?type=g"; nocase; http_uri;
classtype:trojan-activity; reference:url,
www.threatexpert.com/report.aspx?md5=fa078834dd3b4c6604d12823a6f9f17e;
sid:xxxxxxxx; rev:1;)

Detects this malware:

http://www.threatexpert.com/report.aspx?md5=fa078834dd3b4c6604d12823a6f9f17e

As well as the older variant (uses gbot_ string instead of g_):

http://www.threatexpert.com/report.aspx?md5=1511fbb2274a7b874b58e3c480273e94

After some google searches, I think the check for
"/cgi-bin/cycle_report.cgi?type=g" after the POST is unique enough that we
don't require PCRE.

Thanks,

Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20101014/a31db78c/attachment.html


More information about the Emerging-sigs mailing list