[Emerging-Sigs] 2 SIGS: W32/Dexter & W32/Stabuniq

Kevin Ross kevross33 at googlemail.com
Wed Dec 26 05:06:57 HAST 2012


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Dexter Infostealer CnC POST"; flow:established,to_server;
content:"POST"; http_method; content:"page="; http_client_body; depth:5;
content:"&spec="; distance:0; content:"&opt="; distance:0; content:"var=";
distance:0; content:"val="; distance:0; classtype:trojan-activity;
reference:url,
contagiodump.blogspot.co.uk/2012/12/dexter-pos-infostealer-samples-and.html;
sid:139311; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Stabuniq CnC POST"; flow:established,to_server; content:"POST";
http_method; content:"/rssnews.php"; http_uri; content:!"User-Agent|3A|";
http_header; content:"id="; http_client_body; depth:3; content:"&varname=";
distance:0; content:"&comp="; distance:0; content:"&src="; distance:0;
classtype:trojan-activity; reference:url,
contagiodump.blogspot.co.uk/2012/12/dec-2012-trojanstabuniq-samples.html;
reference:url,
www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers;
sid:139312; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121226/c94cf702/attachment.html>


More information about the Emerging-sigs mailing list