[Emerging-Sigs] SIGS: ET TROJAN W32/Downloader.FakeFlashPlayer

Kevin Ross kevross33 at googlemail.com
Thu Dec 27 15:20:23 HAST 2012


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Downloader.FakeFlashPlayer Clientregister.php CnC Beacon";
flow:established,to_server; content:"/clientregister.php?type="; http_uri;
content:"&uniqid="; http_uri; content:"&winver="; http_uri;
content:"&compusername="; http_uri; content:"&compnetname="; http_uri;
classtype:trojan-activity; sid:1239991; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Downloader.FakeFlashPlayer Status.Php CnC Beacon";
flow:established,to_server; content:"/status.php?cliver="; http_uri;
content:"&uniqid="; http_uri; content:"&langid="; http_uri;
classtype:trojan-activity; sid:1239992; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Downloader.FakeFlashPlayer Bitensiteler CnC Beacon";
flow:established,to_server; content:".php?type="; http_uri;
content:"&uniqid="; http_uri; content:"&langid="; http_uri;
content:"&ver="; http_uri; content:"bitensiteler="; http_uri;
classtype:trojan-activity; sid:1239993; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
W32/Downloader.FakeFlashPlayer Kelimeid CnC Beacon";
flow:established,to_server; content:".php?type="; http_uri;
content:"&kelimeid"; http_uri; content:"&gecenzaman="; http_uri;
content:"&gezilensayfa="; http_uri; content:"&delcookies="; http_uri;
classtype:trojan-activity; sid:1239994; rev:1;)

Regards,
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121228/df69e9f3/attachment.html>


More information about the Emerging-sigs mailing list