[Emerging-Sigs] Silentbanker

waldo kitty wkitty42 at windstream.net
Sat Oct 29 23:15:56 EDT 2011

On 10/28/2011 12:24, harry.tuttle wrote:
> What does this check-in look like, exactly?
> I'm getting hits to casalemedia.com, but I don't think it's a C&C.

why? caselmedia is evil and has been for years... not evil as in real "evil" 
stuff but "evil" in a tracking sense plus... they've been blocked here since 
eternity started ;) :P

> Thanks,
> Harry
> For reference:
> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:4;)

More information about the Emerging-sigs mailing list