wkitty42 at windstream.net
Sat Oct 29 23:15:56 EDT 2011
On 10/28/2011 12:24, harry.tuttle wrote:
> What does this check-in look like, exactly?
> I'm getting hits to casalemedia.com, but I don't think it's a C&C.
why? caselmedia is evil and has been for years... not evil as in real "evil"
stuff but "evil" in a tracking sense plus... they've been blocked here since
eternity started ;) :P
> For reference:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:4;)
More information about the Emerging-sigs