[Emerging-Sigs] Syrian MFA Malware

Will Metcalf wmetcalf at emergingthreatspro.com
Mon Dec 3 06:10:34 HAST 2012


I will try to dig up a sample but if I'm reading the write-up correctly C2
happens over SSL and we will only see the CONNECT requests to a local proxy
if present.

Regards,

Will

On Mon, Dec 3, 2012 at 12:23 AM, AD <elhoim at gmail.com> wrote:

>
> http://www.securelist.com/en/blog/774/A_Targeted_Attack_Against_The_Syrian_Ministry_of_Foreign_Affairs
>
> I see three angles:
> - User-Agent
> - misspelled HTTP header Proxy-Connetion
> - misformatted HTTP header Content_length (should be Content-Length)
>
> Regards,
> elhoim
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121203/d26ddf8d/attachment.html>


More information about the Emerging-sigs mailing list