[Emerging-Sigs] W32.Duqu

Christopher Granger chrisgrangerx at gmail.com
Wed Oct 19 17:08:55 EDT 2011


Hi Emerging Threats,

What do you think about this to detect Duqu's UA?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"W32.Duqu
User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozilla/5.0
(Windows|3B| U|3B| Windows NT 6.0|3B| en-US|3B| rv|3A|1.9.2.9)
Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)|0D 0A|”;
http_header; fast_pattern:only; reference:url,
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf;
classtype:trojan-activity; sid:XXXXXXX; rev:1;)

Thank you,
-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111019/f445d491/attachment.html


More information about the Emerging-sigs mailing list