[Emerging-Sigs] SIG: ET TROJAN W32/Einstein CnC Communication

Kevin Ross kevross33 at googlemail.com
Tue Oct 11 16:33:02 EDT 2011


Sig for this. And for those interested a clamav sig too which looks for the
string  http://%s:%d/%s.php?id=%06d%s&ext=%s in executable

Regards, Kevin

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Einstein CnC Communication"; flow:established,to_server; content:"POST";
http_method; content:".php?id="; http_uri; content:"&ext="; http_uri;
pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; classtype:trojan-activity;
reference:url,
http://www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/;
sid:1987911; rev:1;)

CLAMAV SIG: (save in .ndb file and make sure no newline after unless another
sig underneath, you can use -d option to point to it in clamav or just stick
file in /var/lib/clamav)
W32.Einstein:1:*:687474703a2f2f25733a25642f25732e7068703f69643d253036642573266578743d2573
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/351bfcec/attachment.html


More information about the Emerging-sigs mailing list