[Emerging-Sigs] ET TROJAN Win32.VBNA.b Checkin Signature

Martin Holste mcholste at gmail.com
Mon Oct 10 08:53:59 EDT 2011


I'm assuming these are to api.ipinfodb.com?  That looks like a legit
site, so, much like adobe.com's geoip.php, this is another abuse of a
legit service.  The problem is that while Adobe's page seemed largely
unused by legit apps, I see plenty of legit apps using this page.  Is
there no other traffic to create a check-in sig on?

On Sun, Oct 9, 2011 at 10:58 PM, Micah Kays <micah.d.kays at gmail.com> wrote:
> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN
> Win32.VBNA.b Checkin"; content:"GET"; http_method;
> uricontent:"ip_query_country.php?key="; uricontent:"&timezone=";
> classtype:trojan-activity;
> reference:url,http://www.threatexpert.com/report.aspx?md5=0d6cd3944f0dc79275727393c66ab744
> sid:001; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>


More information about the Emerging-sigs mailing list