mcholste at gmail.com
Sun Oct 30 10:25:05 EST 2011
Certainly no one needs casalemedia, but the sig says this is a banker
Trojan, not adware, so this is a FP.
On Sat, Oct 29, 2011 at 10:15 PM, waldo kitty <wkitty42 at windstream.net> wrote:
> On 10/28/2011 12:24, harry.tuttle wrote:
>> What does this check-in look like, exactly?
>> I'm getting hits to casalemedia.com, but I don't think it's a C&C.
> why? caselmedia is evil and has been for years... not evil as in real "evil"
> stuff but "evil" in a tracking sense plus... they've been blocked here since
> eternity started ;) :P
>> For reference:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Silentbanker/Yaludle Checkin to C&C"; flow:to_server,established; content:"GET"; depth:3; http_method; content:".php?id="; nocase; http_uri; content:"&c="; nocase; content:"&v="; nocase; content:"&b="; nocase; content:"&z="; nocase; reference:url,doc.emergingthreats.net/2009542; classtype:trojan-activity; sid:2009542; rev:4;)
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
More information about the Emerging-sigs