[Emerging-Sigs] Win32.PEx.Delphi.1151005043 Post-infection Checkin and Win32/FakeSysdef Checkin Signatures

Matthew Jonkman jonkman at emergingthreatspro.com
Mon Oct 24 11:26:48 EDT 2011


The first one we have covered in 2010382, general FakeAV get. But th esecond we need to add!

Thanks Micah!

Matt


On Oct 23, 2011, at 9:25 PM, Micah Kays wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Win32.PEx.Delphi.1151005043 Post-infection Checkin";
> flow:established,to_server; content:"GET"; http_method;
> content:"/boot.php?ptr="; nocase; http_uri;
> reference:url,http://www.threatexpert.com/report.aspx?md5=b58485c9a221e8bd5b4725e7e19988b0;
> classtype:trojan-activity;
> reference:url,http://threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043;
> sid:021; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Win32/FakeSysdef Checkin"; flow:established,to_server; content:"GET";
> http_method; content:"/404.php?type="; nocase; http_uri;
> content:"&affid="; nocase; http_uri; content:"&subid="; nocase;
> http_uri; content:"&awok"; nocase; http_uri;
> reference:url,http://www.threatexpert.com/report.aspx?md5=87f6402164d2cc373822ce47f02b7ffe;
> reference:url,http://www.virustotal.com/file-scan/report.html?id=6ee20d732f157e5a8c5b1c6ec3d719d47cdef0d4ba15daf24b4e75e847007aa8-1319341576;
> classtype:trojan-activity; sid:031; rev:1;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list