[Emerging-Sigs] SIG: ET TROJAN W32/Quarian HTTP Proxy Header

Kevin Ross kevross33 at googlemail.com
Thu Dec 6 14:02:20 HAST 2012


Yeah I know but at least it will work in many business environments I
think. Up to you though,

Kev

On 6 December 2012 19:45, Will Metcalf <william.metcalf at gmail.com> wrote:

> This will only work if you have a proxy.  I have a self signed cert
> from one of the C2 ip addys from around that time. Can't be sure 100%
> sure it's related will share if anybody wants it.
>
> Regards,
>
> Will
>
> On Thu, Dec 6, 2012 at 1:29 PM, Kevin Ross <kevross33 at googlemail.com>
> wrote:
> > A sig from the information on the VRT blog (thanks VRT) on a trojan that
> > reminds me of Mass Effect ;-) . I have not had a chance to do the direct
> CnC
> > also mentioned in the blog post.
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > W32/Quarian HTTP Proxy Header"; flow:established,to_server;
> > content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A
> > 20|"; http_header; classtype:trojan-activity;
> > reference:url,
> vrt-blog.snort.org/2012/12/quarian.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Vrt+%28Sourcefire+VRT+-+Vulnerability+Research%2C+Razorback+and+Explosions%29
> ;
> > sid:129911; rev:1;)
> >
> > Regards,
> > Kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121207/da6351b2/attachment.html>


More information about the Emerging-sigs mailing list