[Emerging-Sigs] RogueAV (.BKM) Sig

yew chuan Ong yewchuan_23 at yahoo.com
Mon Dec 31 07:52:27 HAST 2012


Hi,

I am thinking how we can put all four URI into one signature. Appreciate if anyone can help.

***
This RogueAV traffic originates after a machine has been infected.

HTTP Request Method = GET
HTTP URI Fields = “*/api/test” or “*/api/ping?stage=*” or “*/html/viruslist/?uid=*” OR “*/content/scc”
***

Ref: http://www.malwaresigs.com/2012/12/31/rogueav-bkm-post-compromise-traffic/



Regards
YC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20121231/5b468f06/attachment.html>


More information about the Emerging-sigs mailing list