[Emerging-Sigs] SpyEye false positive.

evilghost@packetmail.net evilghost at packetmail.net
Wed Oct 27 15:37:35 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/27/2010 02:34 PM, Jeff Kell wrote:
> ET sig "ET TROJAN SpyEye style HTTP Header GET structure"
> 
> It appears to be firing on AVG updates...  (at least they look like legit updates...)

I see a few with MSN/Hotmail, Matt, can we rev:2 this signature by adding:

content:".php"; nocase; http_uri;

Looks like it has a tendency to fall in various different AV environments.

- -evilghost

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJMyH9/AAoJENgimYXu6xOHbGgQAKU/hdggXP6rm6bQLYfpG+WT
jYiRUD04P4kvWk0FKq2ZQzVMj63Y8VbiWhoI2Ssp8yeZ/OFbAX6mE0GVnY2TCzhZ
3Qgeu/RShpRUqqLwqLvaHrHx0NScIspBhqJND8Vsga8EZDjl6oV0srFt3vFpQ0xS
S3cGIkKBcYnmW3HXZ4H7SgZwOfrKhYdI1Nvbk50vTYj6KMGkLyjVQUXhf+7sV+1O
LecrWyB95XndSEbTgEeXXYIEAeYqfrwyprbGAMwBSW/ZuRkxSBuH72fcdrQcqDp1
iqmfUQF3kkAYQUxttfxqyE8iBzEu6VmJTdBudGk1INsfFPTWJwdmIDv2Yxjr0o9Q
n6TI0stAH299fLIDmvFP4kId/JEHrRL8XStR7jqAuGHCsEGep/nuBjKLHGNS44l/
4lsxtmGJRk4I2b84ZTns9eD45Ig1kYGLJyb/KJjciCeo+OKZR2BPxvU1QA5CAK4J
sBPfDL6hrSXMm3SZC7SaGlJ9dEuK68RADs8owSpegg8DDWzQVInqOveW09uzUivs
Uj82nJn/iKSsABBrolzPgX5f7GFPSsuLstx31W660m2o0LKYpIdLkpdFg8e8I096
yyBWQljQAs5v+2aJ0MVYN/7gi1LHpNENa5wQriGZ+cfMDsrCNByTI9S0JJdICKsR
B/xOb4hnRXM6y8dkSsv1
=WFFD
-----END PGP SIGNATURE-----



More information about the Emerging-sigs mailing list