[Emerging-Sigs] ET TROJAN Win32.VBNA.b Checkin Signature
micah.d.kays at gmail.com
Mon Oct 10 15:28:53 EDT 2011
That was the only traffic generated.
Thank you Mr. Holste.
P.S. - My IP address and country were revealed back to the destination
server. Should i try writing a signature based on that?
On 10/10/11, Martin Holste <mcholste at gmail.com> wrote:
> I'm assuming these are to api.ipinfodb.com? That looks like a legit
> site, so, much like adobe.com's geoip.php, this is another abuse of a
> legit service. The problem is that while Adobe's page seemed largely
> unused by legit apps, I see plenty of legit apps using this page. Is
> there no other traffic to create a check-in sig on?
> On Sun, Oct 9, 2011 at 10:58 PM, Micah Kays <micah.d.kays at gmail.com> wrote:
>> alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN
>> Win32.VBNA.b Checkin"; content:"GET"; http_method;
>> uricontent:"ip_query_country.php?key="; uricontent:"&timezone=";
>> sid:001; rev:1;)
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
More information about the Emerging-sigs