[Emerging-Sigs] Win32.Trojan-Dropper.Wlock Checkin Signature

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 11 19:16:31 EDT 2011


Now we're talking! Nicely done.

Posting now!

Matt

On Oct 11, 2011, at 6:45 PM, Micah Kays wrote:

> Here is my second attempt at this signature.
> 
> Thanks - Micah Kays
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Win32.Dropper.Wlock Checkin"; flow:established,to_server;
> content:"POST"; http_method; content:"hardware_id="; http_uri; nocase;
> content:"&user_id="; http_uri; nocase; content:"&os_ver="; http_uri;
> nocase; content:"&os_sp="; http_uri; nocase; content:"&os_arch=";
> http_uri; nocase; classtype:trojan-activity;
> reference:url,http://www.threatexpert.com/report.aspx?md5=881e21645e5ffe1ffb959835f8fdf71d;
> sid:001; rev:2;)
> 
> On 10/11/11, Matthew Jonkman <jonkman at emergingthreatspro.com> wrote:
>> I think we're going to get a lot of falses on ad server traffic.
>> 
>> Check out that post with hardware_id= and os_ver= in it. That's more
>> sigable!
>> 
>> Matt
>> 
>> 
>> On Oct 5, 2011, at 7:55 PM, Micah Kays wrote:
>> 
>>> alert tcp $HOME_NET any -> any $HTTP_PORTS
>>> (msg:"Win32.Trojan-Dropper.Wlock Checkin"; uricontent:".php?adv=";
>>> uricontent:"&id="; uricontent:"&c="; nocase;
>>> classtype:trojan-activity;
>>> reference:url,http://www.threatexpert.com/report.aspx?md5=881e21645e5ffe1ffb959835f8fdf71d;
>>> sid:2; rev:1;)
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>> Current!
>> 
>> 
>> ----------------------------------------------------
>> Matt Jonkman
>> Emerging Threats Pro
>> Open Information Security Foundation (OISF)
>> Phone 866-504-2523 x110
>> http://www.emergingthreatspro.com
>> http://www.openinfosecfoundation.org
>> ----------------------------------------------------
>> 
>> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/91cc2bd2/smime.bin


More information about the Emerging-sigs mailing list