harry.tuttle at zoho.com
Fri Oct 28 12:24:26 EDT 2011
What does this check-in look like, exactly?
I'm getting hits to casalemedia.com, but I don't think it's a C&C.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:4;)
More information about the Emerging-sigs