[Emerging-Sigs] Silentbanker

Matthew Jonkman jonkman at emergingthreatspro.com
Fri Oct 28 13:31:17 EDT 2011


That's a false positive for sure. Looking through the db we don't have any hits in recent history on this so it's likely due to be retired. 

I'll do so in today's update. Thanks Harry

Matt


On Oct 28, 2011, at 12:24 PM, harry.tuttle wrote:

> What does this check-in look like, exactly?
> 
> I'm getting hits to casalemedia.com, but I don't think it's a C&C.
> 
> Thanks,
> Harry
> 
> For reference:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:4;)
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------



More information about the Emerging-sigs mailing list