[Emerging-Sigs] Win32.Trojan-Dropper.Wlock Checkin Signature

Micah Kays micah.d.kays at gmail.com
Tue Oct 11 18:45:24 EDT 2011


Here is my second attempt at this signature.

Thanks - Micah Kays

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32.Dropper.Wlock Checkin"; flow:established,to_server;
content:"POST"; http_method; content:"hardware_id="; http_uri; nocase;
content:"&user_id="; http_uri; nocase; content:"&os_ver="; http_uri;
nocase; content:"&os_sp="; http_uri; nocase; content:"&os_arch=";
http_uri; nocase; classtype:trojan-activity;
reference:url,http://www.threatexpert.com/report.aspx?md5=881e21645e5ffe1ffb959835f8fdf71d;
sid:001; rev:2;)

On 10/11/11, Matthew Jonkman <jonkman at emergingthreatspro.com> wrote:
> I think we're going to get a lot of falses on ad server traffic.
>
> Check out that post with hardware_id= and os_ver= in it. That's more
> sigable!
>
> Matt
>
>
> On Oct 5, 2011, at 7:55 PM, Micah Kays wrote:
>
>> alert tcp $HOME_NET any -> any $HTTP_PORTS
>> (msg:"Win32.Trojan-Dropper.Wlock Checkin"; uricontent:".php?adv=";
>> uricontent:"&id="; uricontent:"&c="; nocase;
>> classtype:trojan-activity;
>> reference:url,http://www.threatexpert.com/report.aspx?md5=881e21645e5ffe1ffb959835f8fdf71d;
>> sid:2; rev:1;)
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>
>
> ----------------------------------------------------
> Matt Jonkman
> Emerging Threats Pro
> Open Information Security Foundation (OISF)
> Phone 866-504-2523 x110
> http://www.emergingthreatspro.com
> http://www.openinfosecfoundation.org
> ----------------------------------------------------
>
>


More information about the Emerging-sigs mailing list