[Emerging-Sigs] SIG: ET TROJAN W32.Daws/Sanny

Will Metcalf wmetcalf at emergingthreatspro.com
Mon Dec 17 17:11:32 HAST 2012


Posted but fixed sig with file_data + POST which is invalid, made
http_client_body; Thanks....

On Mon, Dec 17, 2012 at 3:56 PM, Kevin Ross <kevross33 at googlemail.com>wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32.Daws/Sanny CnC Initial Beacon"; flow:established,to_server;
> content:"/list.php?db="; http_uri; content:"Accept-Language|3A| ko-kr";
> http_header; classtype:trojan-activity; reference:url,
> blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,
> contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html;
> sid:1318811; rev:1;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> W32.Daws/Sanny CnC POST"; flow:established,to_server; content:"POST";
> http_method; content:"/write.php"; http_uri; content:"Accept-Language|3A|
> ko-kr"; http_header; file_data; content:"db="; within:3; content:"&ch=";
> distance:0; content:"&name="; distance:0; content:"&email="; distance:0;
> content:"&pw="; distance:0; classtype:trojan-activity; reference:url,
> blog.fireeye.com/research/2012/12/to-russia-with-apt.html; reference:url,
> contagiodump.blogspot.co.uk/2012/12/end-of-year-presents-continue.html;
> sid:1318812; rev:1;)
>
> Regards,
> Kevin
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121217/79e8deb2/attachment.html>


More information about the Emerging-sigs mailing list