[Emerging-Sigs] SIG: ET TROJAN W32/Quarian HTTP Proxy Header
kevross33 at googlemail.com
Thu Dec 6 14:02:20 HAST 2012
Yeah I know but at least it will work in many business environments I
think. Up to you though,
On 6 December 2012 19:45, Will Metcalf <william.metcalf at gmail.com> wrote:
> This will only work if you have a proxy. I have a self signed cert
> from one of the C2 ip addys from around that time. Can't be sure 100%
> sure it's related will share if anybody wants it.
> On Thu, Dec 6, 2012 at 1:29 PM, Kevin Ross <kevross33 at googlemail.com>
> > A sig from the information on the VRT blog (thanks VRT) on a trojan that
> > reminds me of Mass Effect ;-) . I have not had a chance to do the direct
> > also mentioned in the blog post.
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> > W32/Quarian HTTP Proxy Header"; flow:established,to_server;
> > content:"Content_length|3A 20|"; http_header; content:"Proxy-Connetion|3A
> > 20|"; http_header; classtype:trojan-activity;
> > reference:url,
> > sid:129911; rev:1;)
> > Regards,
> > Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs