[Emerging-Sigs] SIGS: Aldi Bot

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 5 17:44:23 EDT 2011


Already covered! :)

Matt


On Oct 5, 2011, at 5:19 PM, Kevin Ross wrote:

> Already submitted from the sandnet for the user agent (I think it is still waiting to be posted).
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/AldiBot DDOS Bot Checkin"; flow:established,to_server; content:"/gate.php?hwid="; http_uri; content:"&pc="; http_uri; content:"&localip="; http_uri; content:"&winver="; http_uri; classtype:trojan-activity; reference:url,http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/; sid:1300001; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/AldiBot DDOS Bot Sending Stolen Data"; flow:established,to_server; content:"/gate.php?hwid="; http_uri; content:"&steal="; http_uri; classtype:trojan-activity; reference:url,http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/; sid:1300002; rev:1;)
> 
> Regards, Kev


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111005/1498eca2/smime.bin


More information about the Emerging-sigs mailing list