[Emerging-Sigs] PROPOSED SIG: ET TROJAN W32/DirtJumper DDOS Bot Checkin

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 25 16:21:03 EDT 2011

I'll adjust 2013439 to fit this. We were matching on the uri, but that's no longer hardcoded…

Thanks Kevin! Great writeups there!


On Oct 24, 2011, at 6:51 PM, Kevin Ross wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/DirtJumper DDOS Bot Checkin"; flow:established,to_server; content:"POST"; http_method; content:"HTTP/1.0"; http_header; content:"k="; http_client_body; depth:2; pcre:"/k\x3D[0-9]{6}/"; classtype:trojan-activity; reference:url,www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html; reference:url,http://asert.arbornetworks.com/2011/08/dirt-jumper-caught/; sid:144991; rev:1;)
> For current version. 
> Regards, Kevin

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list