[Emerging-Sigs] SIG: ET TROJAN W32/Quarian HTTP Proxy Header

Kevin Ross kevross33 at googlemail.com
Thu Dec 6 09:29:58 HAST 2012


A sig from the information on the VRT blog (thanks VRT) on a trojan that
reminds me of Mass Effect ;-) . I have not had a chance to do the direct
CnC also mentioned in the blog post.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Quarian HTTP Proxy Header"; flow:established,to_server;
content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A
20|"; http_header; classtype:trojan-activity; reference:url,
vrt-blog.snort.org/2012/12/quarian.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Vrt+%28Sourcefire+VRT+-+Vulnerability+Research%2C+Razorback+and+Explosions%29;
sid:129911; rev:1;)

Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121206/87fab411/attachment.html>


More information about the Emerging-sigs mailing list