[Emerging-Sigs] SIG: ET TROJAN Win32/Trojan.Agent.AXMO CnC Beacon

Nathan nathan at packetmail.net
Thu Dec 6 04:35:25 HAST 2012


On 12/05/2012 05:21 PM, Will Metcalf wrote:
> Nice.. Thanks Kevin. Will get it into QA.
> 
> Regards,
> 
> Will
> 
> On Wed, Dec 5, 2012 at 5:16 PM, Kevin Ross <kevross33 at googlemail.com> wrote:
>> > alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN
>> > Win32/Trojan.Agent.AXMO CnC Beacon"; flow:established,to_server;
>> > content:"POST"; content:"/log HTTP/1."; distance:0; content:"User-Agent|3A
>> > 20|Mozilla/4.0|0D 0A|"; distance:0; classtype:trojan-activity;
>> > reference:url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html;
>> > sid:1329991; rev:1;)

We do have coverage for this in the below, though it doesn't specifically
identify Trojan.Agent.AXMO CNC beacon activity:

SID 2003492 (enabled by default) covers the abnormal User-Agent
SID 2013926 (enabled by default) covers plaintext HTTP POST over TCP 443

Perhaps if you really want it isolated to /log, it may make sense to take
advantage of the ET.HTTP.at.SSL flowbit in 2013926?

Cheers,
Nathan



More information about the Emerging-sigs mailing list