[Emerging-Sigs] SIGS: Aldi Bot

Pedro Marinho pppmarinho at gmail.com
Tue Oct 11 11:38:47 EDT 2011


Yes Sir!

I've moved it from PRO to open since Kevin did build exactly the same rule
based on this info http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/

Thanks Kevin sorry for the delay

=>

Message: 1
Date: Tue, 11 Oct 2011 06:43:43 -0400
From: Matthew Jonkman <jonkman at emergingthreatspro.com>
Subject: Re: [Emerging-Sigs] SIGS: Aldi Bot
To: Kevin Ross <kevross33 at googlemail.com>
Cc: "emerging-sigs at emergingthreats.net"
       <Emerging-sigs at emergingthreats.net>
Message-ID:
       <F270C3A8-B9C1-472D-A2A1-F2748C65BE26 at emergingthreatspro.com>
Content-Type: text/plain; charset="iso-8859-1"

Maybe in the Pro sigs and I didn't notice. Pedro, can you check? If what we
had like this was pro then we'll move it over to open.

Thanks!

Matt


On Oct 5, 2011, at 5:57 PM, Kevin Ross wrote:

> is it? What sids as I just did a grep for &steal= and didn't find
anything.
>
> On 5 October 2011 22:44, Matthew Jonkman <jonkman at emergingthreatspro.com>
wrote:
> Already covered! :)
>
> Matt
>
>
> On Oct 5, 2011, at 5:19 PM, Kevin Ross wrote:
>
> > Already submitted from the sandnet for the user agent (I think it is
still waiting to be posted).
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/AldiBot DDOS Bot Checkin"; flow:established,to_server;
content:"/gate.php?hwid="; http_uri; content:"&pc="; http_uri;
content:"&localip="; http_uri; content:"&winver="; http_uri;
classtype:trojan-activity; reference:url,
http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/; sid:1300001; rev:1;)
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/AldiBot DDOS Bot Sending Stolen Data"; flow:established,to_server;
content:"/gate.php?hwid="; http_uri; content:"&steal="; http_uri;
classtype:trojan-activity; reference:url,
http://asert.arbornetworks.com/2011/10/ddos-aldi-bot/; sid:1300002; rev:1;)
> >
> > Regards, Kev
>
>
> ------------------------------
----------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ---------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/846d71a5/attachment.html


More information about the Emerging-sigs mailing list