[Emerging-Sigs] W32/Kyle Should Be Trojan?
dhuss at emergingthreats.net
Thu Sep 18 08:35:14 EDT 2014
For Stan, were those two beacons the only ones that occurred around that
specific event? If so then we can do up a sig for one of those (the session
UA/POST one looks like it could be a good candidate). For Kyle, all we have
seen it download is SoftPulse so far. Could you share the pcap off-list?
On Thu, Sep 18, 2014 at 6:53 AM, Kevin Ross <kevross33 at googlemail.com>
> Also these beacons to the Stan part which was detected only by session UA
> sig and one my own (lots of sigs look for malware looking POST stuff and
> then set flowbit for this final sig to be fired - works pretty well
> although I don't want to depress myself looking at the performance although
> done my best :) )
> Anyway just a heads up for other indicators for people to look at.
> On 18 September 2014 10:19, Kevin Ross <kevross33 at googlemail.com> wrote:
>> I am wondering if the W32/Kyle sig should be updated to ET Trojan? I saw
>> it this morning downloading a file which while it apparently was corrupted
>> even though I had no missing bytes (going to manually carve again from
>> recovered PCAP to be sure) Virsutotal suggests on 1 AV suggested it was
>> Kind regards,
>> Kevin Ross
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs