[Emerging-Sigs] Syrian MFA Malware
wmetcalf at emergingthreatspro.com
Mon Dec 3 06:29:47 HAST 2012
Looks like a self signed cert though...
On Mon, Dec 3, 2012 at 10:10 AM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:
> I will try to dig up a sample but if I'm reading the write-up correctly C2
> happens over SSL and we will only see the CONNECT requests to a local proxy
> if present.
> On Mon, Dec 3, 2012 at 12:23 AM, AD <elhoim at gmail.com> wrote:
>> I see three angles:
>> - User-Agent
>> - misspelled HTTP header Proxy-Connetion
>> - misformatted HTTP header Content_length (should be Content-Length)
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs