[Emerging-Sigs] SIGS: Aldi Bot

Kevin Ross kevross33 at googlemail.com
Wed Oct 5 17:19:34 EDT 2011


Already submitted from the sandnet for the user agent (I think it is still
waiting to be posted).

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/AldiBot DDOS Bot Checkin"; flow:established,to_server;
content:"/gate.php?hwid="; http_uri; content:"&pc="; http_uri;
content:"&localip="; http_uri; content:"&winver="; http_uri;
classtype:trojan-activity; reference:url,
http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/; sid:1300001; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/AldiBot DDOS Bot Sending Stolen Data"; flow:established,to_server;
content:"/gate.php?hwid="; http_uri; content:"&steal="; http_uri;
classtype:trojan-activity; reference:url,
http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/; sid:1300002; rev:1;)

Regards, Kev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111005/1f8bdb99/attachment.html


More information about the Emerging-sigs mailing list