[Emerging-Sigs] Syrian MFA Malware

Will Metcalf wmetcalf at emergingthreatspro.com
Mon Dec 3 06:29:47 HAST 2012


Looks like a self signed cert though...

Regards,

Will

On Mon, Dec 3, 2012 at 10:10 AM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:

> I will try to dig up a sample but if I'm reading the write-up correctly C2
> happens over SSL and we will only see the CONNECT requests to a local proxy
> if present.
>
> Regards,
>
> Will
>
>
> On Mon, Dec 3, 2012 at 12:23 AM, AD <elhoim at gmail.com> wrote:
>
>>
>> http://www.securelist.com/en/blog/774/A_Targeted_Attack_Against_The_Syrian_Ministry_of_Foreign_Affairs
>>
>> I see three angles:
>> - User-Agent
>> - misspelled HTTP header Proxy-Connetion
>> - misformatted HTTP header Content_length (should be Content-Length)
>>
>> Regards,
>> elhoim
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121203/90f750c9/attachment.html>


More information about the Emerging-sigs mailing list