[Emerging-Sigs] Cycbot POST

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 25 16:27:35 EDT 2011


Thanks sir! Pedro is posting!

Matt


On Oct 24, 2011, at 5:23 PM, Packet Hack wrote:

> Seeing this:
> 
>  POST /gate.php HTTP/1.1
>  Host: ourdatatransfers.com
>  Content-Length: 190
>  Connection: close
>  Content-Type: application/octet-stream
>  Content-Encoding: binary
>  User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
> 
>  FILE0^@D0<A8>qщSP
> 
> Similar traffic here:
> 
>  http://www.threatexpert.com/report.aspx?md5=1f04bd1b4eceb42e6d5859b6330fc7d7
>  http://www.threatexpert.com/report.aspx?md5=9bbb79f6f11aa292af303e7636c5b6fa
> 
> Sophos associates the above domain in the Host: header with
> Cycbot:
> 
>  http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Cycbot POST"; flow:established,to_server; content:"POST"; http_method;
> content:"FILE0|00 44 30 A8 71 D1 89 53 50|"; http_client_body;
> reference:url,www.threatexpert.com/report.aspx?md5=1f04bd1b4eceb42e6d5859b6330fc7d7;
> reference: url,
> www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Cycbot-O/detailed-analysis.aspx;
> sid:9100560; rev:1;)
> 
> -- pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list