[Emerging-Sigs] SIGS: Aldi Bot

Kevin Ross kevross33 at googlemail.com
Wed Oct 5 17:57:48 EDT 2011


is it? What sids as I just did a grep for &steal= and didn't find anything.

On 5 October 2011 22:44, Matthew Jonkman <jonkman at emergingthreatspro.com>wrote:

> Already covered! :)
>
> Matt
>
>
> On Oct 5, 2011, at 5:19 PM, Kevin Ross wrote:
>
> > Already submitted from the sandnet for the user agent (I think it is
> still waiting to be posted).
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/AldiBot DDOS Bot Checkin"; flow:established,to_server;
> content:"/gate.php?hwid="; http_uri; content:"&pc="; http_uri;
> content:"&localip="; http_uri; content:"&winver="; http_uri;
> classtype:trojan-activity; reference:url,
> http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/; sid:1300001;
> rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32/AldiBot DDOS Bot Sending Stolen Data"; flow:established,to_server;
> content:"/gate.php?hwid="; http_uri; content:"&steal="; http_uri;
> classtype:trojan-activity; reference:url,
> http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/; sid:1300002;
> rev:1;)
> >
> > Regards, Kev
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111005/5f3fe0bd/attachment.html


More information about the Emerging-sigs mailing list