[Emerging-Sigs] SIG: ET CURRENT_EVENTS W32/Zbot Download Invoice Spam Campaign 10th Sep 2014

Darien Huss dhuss at emergingthreats.net
Thu Sep 11 09:15:29 EDT 2014


Thanks Kevin, we'll get that into QA!

Regards,
Darien

On Thu, Sep 11, 2014 at 5:42 AM, Kevin Ross <kevross33 at googlemail.com>
wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS W32/Zbot Download Invoice Spam Campaign 10th Sep 2014";
> flow:established,to_server; content:"/Invoice_"; nocase; http_uri; depth:9;
> content:".exe"; http_uri; pcre:"/^\x2FInvoice\x5F\d{5,}\x2Eexe$/Ui";
> classtype:trojan-activity; reference:md5,bdf12366779ce94178c2d1e495565d2b;
> sid:1239991; rev:1;)
>
>
> Kind Regards,
> Kevin Ross
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140911/dcf56c30/attachment.html>


More information about the Emerging-sigs mailing list