[Emerging-Sigs] Trojan.Kryptik Signatures

Micah Kays micah.d.kays at gmail.com
Mon Oct 31 21:43:15 EST 2011


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Trojan.Kryptik Version Check"; flow:established,to_server;
content:"GET"; http_method; content:"User-Agent|3a| test_hInternet";
http_header; content:"/ver HTTP/1.1"; nocase; http_uri;
reference:url,http://www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b;
classtype:trojan-activity; sid:01; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Trojan.Kryptik Updating Configuration"; flow:established,to_server;
content:"GET"; http_method; content:"User-Agent|3a| proscan-down";
http_header; content:"/bin/mdata.dat HTTP/1.1"; nocase; http_uri;
reference:url,http://www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b;
classtype:trojan-activity; sid:02; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Trojan.Kryptik Second Stage Download"; flow:established,to_server;
content:"GET"; http_method; content:"User-Agent|3a| proscan-down";
http_header; content:"/P/mercuryarc.exe HTTP/1.1"; nocase; http_uri;
reference:url,http://www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b;
classtype:trojan-activity; sid:03; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Trojan.Kryptik System Exposure"; flow:established,to_server;
content:"GET"; http_method; content:"User-Agent|3a| test_hInternet";
http_header; content:"/APP/ck_setup.php?m="; nocase; http_uri;
content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri;
reference:url,http://www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b;
classtype:trojan-activity; sid:04; rev:1;)


More information about the Emerging-sigs mailing list