[Emerging-Sigs] "ET TROJAN FakeAV Landing Page"

Marcos Orallo morallo at tb-security.com
Tue Dec 18 05:10:48 HAST 2012

I forgot to add the payload:

Connection: keep-alive
Accept: */*
Accept-Language: es
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1;
Trident/4.0; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152;
.NET CLR 3.5.30729)
Accept-Encoding: gzip, deflate
Host: dutytraditional.net
X-IMForwards: 20


El 18/12/2012 15:58, Marcos Orallo escribió:
> Hi all,
> I have regular detections from this rule, together with this other one:
> "ET CURRENT_EVENTS Ponmocup Redirection from infected Website to
> Trojan-Downloader".
> From what I understand, I suppose this is just a landing page to show a
> false antivirus scan and persuade the user to download and install a
> fake AV.
> However, the rule is labeled as "TROJAN" in trojan.rules file, and
> classified as "trojan-activity". I had the impression this type of rule
> triggered only when there has already been an infection.
> Maybe it should be moved to CURRENT_EVENTS?
> Regards,
> Marcos.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

More information about the Emerging-sigs mailing list