[Emerging-Sigs] SIG: ET TROJAN W32.Daws/Sanny

Kevin Ross kevross33 at googlemail.com
Mon Dec 17 11:56:43 HAST 2012


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server;
content:"/list.php?db="; http_uri; content:"Accept-Language|3A| ko-kr";
http_header; classtype:trojan-activity; reference:url,
blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,
contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html;
sid:1318811; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST";
http_method; content:"/write.php"; http_uri; content:"Accept-Language|3A|
ko-kr"; http_header; file_data; content:"db="; within:3; content:"&ch=";
distance:0; content:"&name="; distance:0; content:"&email="; distance:0;
content:"&pw="; distance:0; classtype:trojan-activity; reference:url,
blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,
contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html;
sid:1318812; rev:1;)

Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/2324bf85/attachment.html>


More information about the Emerging-sigs mailing list