[Emerging-Sigs] High false positive rate ET TROJAN Kazy/Kryptor/Cycbot Checkin 3

matt sendtomatt at gmail.com
Wed Dec 12 17:31:28 HAST 2012


In FreeBSD land, a bug report is called a "PR" (problem report). The cgi
interface for viewing these @ freebsd.org uses ?pr= in the get URL.

Here is an example URL that will trigger the false positive:
http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/169319

This rule may be overly vague, or cause undue concern that a host is
infected.
This could be resolved by either making a more specific rule to the
trojan (not sure there)
or changing the language of the rule to include something like "Possible
trojan"

Please CC me in responses, I'm not subscribed to the list.

Thanks,

Matt M
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121212/5a1e6e9e/attachment.html>


More information about the Emerging-sigs mailing list