[Emerging-Sigs] SpyEye false positive.

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 27 16:51:48 EDT 2010


Will do, good solution I think.

Posting now.

Matt

On Oct 27, 2010, at 3:37 PM, evilghost at packetmail.net wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 10/27/2010 02:34 PM, Jeff Kell wrote:
>> ET sig "ET TROJAN SpyEye style HTTP Header GET structure"
>> 
>> It appears to be firing on AVG updates...  (at least they look like legit updates...)
> 
> I see a few with MSN/Hotmail, Matt, can we rev:2 this signature by adding:
> 
> content:".php"; nocase; http_uri;
> 
> Looks like it has a tendency to fall in various different AV environments.
> 
> - -evilghost
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iQIcBAEBAgAGBQJMyH9/AAoJENgimYXu6xOHbGgQAKU/hdggXP6rm6bQLYfpG+WT
> jYiRUD04P4kvWk0FKq2ZQzVMj63Y8VbiWhoI2Ssp8yeZ/OFbAX6mE0GVnY2TCzhZ
> 3Qgeu/RShpRUqqLwqLvaHrHx0NScIspBhqJND8Vsga8EZDjl6oV0srFt3vFpQ0xS
> S3cGIkKBcYnmW3HXZ4H7SgZwOfrKhYdI1Nvbk50vTYj6KMGkLyjVQUXhf+7sV+1O
> LecrWyB95XndSEbTgEeXXYIEAeYqfrwyprbGAMwBSW/ZuRkxSBuH72fcdrQcqDp1
> iqmfUQF3kkAYQUxttfxqyE8iBzEu6VmJTdBudGk1INsfFPTWJwdmIDv2Yxjr0o9Q
> n6TI0stAH299fLIDmvFP4kId/JEHrRL8XStR7jqAuGHCsEGep/nuBjKLHGNS44l/
> 4lsxtmGJRk4I2b84ZTns9eD45Ig1kYGLJyb/KJjciCeo+OKZR2BPxvU1QA5CAK4J
> sBPfDL6hrSXMm3SZC7SaGlJ9dEuK68RADs8owSpegg8DDWzQVInqOveW09uzUivs
> Uj82nJn/iKSsABBrolzPgX5f7GFPSsuLstx31W660m2o0LKYpIdLkpdFg8e8I096
> yyBWQljQAs5v+2aJ0MVYN/7gi1LHpNENa5wQriGZ+cfMDsrCNByTI9S0JJdICKsR
> B/xOb4hnRXM6y8dkSsv1
> =WFFD
> -----END PGP SIGNATURE-----
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list