[Emerging-Sigs] ET TROJAN Win32.Injector.gen!BB Signature

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 13 18:03:39 EDT 2011

Hi Micah, we have this one covered in:


It'll also on subsequent hits turn to using 2 different user-agents which are also sig'd.



On Oct 11, 2011, at 1:01 PM, Micah Kays wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Win32.Injector.gen!BB"; flow:established,to_server; content:"GET";
> http_method; content:".php?"; http_uri; nocase; content:"file=";
> http_uri; nocase; content:"&luck="; http_uri; nocase;
> classtype:trojan-activity;
> refernce:url,http://www.threatexpert.com/report.aspx?md5=4d02b099399b339fad19ae2081a24e45;
> sid:001; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111013/5c1b19eb/smime.bin

More information about the Emerging-sigs mailing list