[Emerging-Sigs] SIG: ET TROJAN W32/Einstein CnC Communication

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 11 19:31:22 EDT 2011

Posting, thanks Kevin!


On Oct 11, 2011, at 4:33 PM, Kevin Ross wrote:

> Sig for this. And for those interested a clamav sig too which looks for the string  http://%s:%d/%s.php?id=%06d%s&ext=%s in executable
> Regards, Kevin
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Einstein CnC Communication"; flow:established,to_server; content:"POST"; http_method; content:".php?id="; http_uri; content:"&ext="; http_uri; pcre:"/\x2F[a-z]{5}\x2Ephp\x3Fid\x3D/U"; classtype:trojan-activity; reference:url,http://www.cyberesi.com/2011/10/06/trojan-matryoshka-and-trojan-einstein/; sid:1987911; rev:1;)
> CLAMAV SIG: (save in .ndb file and make sure no newline after unless another sig underneath, you can use -d option to point to it in clamav or just stick file in /var/lib/clamav)
> W32.Einstein:1:*:687474703a2f2f25733a25642f25732e7068703f69643d253036642573266578743d2573
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/451df6e1/smime.bin

More information about the Emerging-sigs mailing list