[Emerging-Sigs] Silentbanker

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 28 13:31:17 EDT 2011

That's a false positive for sure. Looking through the db we don't have any hits in recent history on this so it's likely due to be retired. 

I'll do so in today's update. Thanks Harry


On Oct 28, 2011, at 12:24 PM, harry.tuttle wrote:

> What does this check-in look like, exactly?
> I'm getting hits to casalemedia.com, but I don't think it's a C&C.
> Thanks,
> Harry
> For reference:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:4;)
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110

More information about the Emerging-sigs mailing list