[Emerging-Sigs] SIGS: W32/Prinimalka and Blackhole Landing Page

Kevin Ross kevross33 at googlemail.com
Mon Dec 17 10:18:40 HAST 2012


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET
CURRENT_EVENTS Blackhole2 Landing Page 7 Character Obfuscation String -
15/12/2012"; content:"=|22|-"; content:"-"; distance:7; within:1;
content:"-"; distance:7; within:1; content:"=|22|-"; distance:100;
content:"-"; distance:7; within:1; content:"-"; distance:7; within:1;
content:"=|22|-"; distance:100; content:"-"; distance:7; within:1;
content:"-"; distance:7; within:1; content:"><script>"; distance:0;
pcre:"/\x3D\x22\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}.{200}\x3D\x22\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}\x2D[a-z0-9]{7}/sm";
classtype:trojan-activity; sid:1731991; rev:1;)

alert tcp $HOME_NET any -> $EXTERNLAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Prinimalka Get Task CnC Beacon"; flow:established,to_server;
content:"/command?user_id="; fast_pattern; http_uri;
content:"&version_id="; http_uri; content:"&crc="; http_uri;
classtype:trojan-activity; reference:url,
ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/;
sid:1731992; rev:1;)

alert tcp $HOME_NET any -> $EXTERNLAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Prinimalka Configuration Update Request"; flow:established,to_server;
content:"/options?user_id="; http_uri; content:"&version_id="; http_uri;
content:"&crc="; http_uri; content:"&uptime="; http_uri; content:"&port=";
http_uri; content:"&ip="; http_uri; classtype:trojan-activity;
reference:url,
ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/;
sid:1731993; rev:1;)

alert tcp $HOME_NET any -> $EXTERNLAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Prinimalka Prinimalka.py Script In CnC Beacon";
flow:established,to_server; content:"/prinimalka.py/"; http_uri;
fast_pattern:only; classtype:trojan-activity; reference:url,
ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/;
sid:1731994; rev:1;)

Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/2fa8e529/attachment.html>


More information about the Emerging-sigs mailing list