[Emerging-Sigs] ET TROJAN Win32.VBNA.b Checkin Signature

Micah Kays micah.d.kays at gmail.com
Mon Oct 10 15:28:53 EDT 2011


That was the only traffic generated.

Thank you Mr. Holste.

P.S. - My IP address and country were revealed back to the destination
server. Should i try writing a signature based on that?

On 10/10/11, Martin Holste <mcholste at gmail.com> wrote:
> I'm assuming these are to api.ipinfodb.com?  That looks like a legit
> site, so, much like adobe.com's geoip.php, this is another abuse of a
> legit service.  The problem is that while Adobe's page seemed largely
> unused by legit apps, I see plenty of legit apps using this page.  Is
> there no other traffic to create a check-in sig on?
>
> On Sun, Oct 9, 2011 at 10:58 PM, Micah Kays <micah.d.kays at gmail.com> wrote:
>> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN
>> Win32.VBNA.b Checkin"; content:"GET"; http_method;
>> uricontent:"ip_query_country.php?key="; uricontent:"&timezone=";
>> classtype:trojan-activity;
>> reference:url,http://www.threatexpert.com/report.aspx?md5=0d6cd3944f0dc79275727393c66ab744
>> sid:001; rev:1;)
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>


More information about the Emerging-sigs mailing list