[Emerging-Sigs] New sig: MUROFET/Licat trojan check in

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 18 15:49:54 EDT 2010


Posting now, thanks Greg!

Matt

On Oct 18, 2010, at 1:53 PM, Greg Martin wrote:

> #by gregcmartin
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS MUROFET/Licat Trojan"; flow:established,to_server;
> content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\:"; nocase;
> uricontent:"/news/?s="; pcre:"/news\?s=\d+{1,3}";
> classtype:trojan-activity;
> reference:url,extraexploit.blogspot.com/2010/10/some-domains-for-licatmurofettrojanzbot.html;
> sid:9999999; rev:1;)
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list