[Emerging-Sigs] W32/Kyle Should Be Trojan?

Darien Huss dhuss at emergingthreats.net
Thu Sep 18 08:35:14 EDT 2014

For Stan, were those two beacons the only ones that occurred around that
specific event? If so then we can do up a sig for one of those (the session
UA/POST one looks like it could be a good candidate). For Kyle, all we have
seen it download is SoftPulse so far. Could you share the pcap off-list?


On Thu, Sep 18, 2014 at 6:53 AM, Kevin Ross <kevross33 at googlemail.com>

> Also these beacons to the Stan part which was detected only by session UA
> sig and one my own (lots of sigs look for malware looking POST stuff and
> then set flowbit for this final sig to be fired - works pretty well
> although I don't want to depress myself looking at the performance although
> done my best :) )
> Anyway just a heads up for other indicators for people to look at.
> On 18 September 2014 10:19, Kevin Ross <kevross33 at googlemail.com> wrote:
>> Hi,
>> I am wondering if the W32/Kyle sig should be updated to ET Trojan? I saw
>> it this morning downloading a file which while it apparently was corrupted
>> even though I had no missing bytes (going to manually carve again from
>> recovered PCAP to be sure) Virsutotal suggests on 1 AV suggested it was
>> Zeus:
>> https://www.virustotal.com/en/file/0f01ae1eeed77b3cadd6fdc53cc3d43b244da172b32f389890cf48914a060941/analysis/
>> Kind regards,
>> Kevin Ross
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140918/529cac90/attachment.html>

More information about the Emerging-sigs mailing list