[Emerging-Sigs] Upatre change

Packet Sleuth p4ck37sleuth at gmail.com
Mon Sep 22 08:28:50 EDT 2014


Attempted to send this late Friday, but it failed.  Wanted to get it in.
Haven't had time to test them yet.  This is being reported as Upatre by
some of the AV vendors when submitted to Virus Total.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre
Suspicious User-Agent (Installer) with IP Host";
flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|;
nocase; http_header; pcre:
"/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi";
reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity;
sid:xxxxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre
downloading purported Tar file"; flow:to_client,established; content:
"Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content:
"Vary|3a20|"; nocase; http_header; pcre:
"/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi";
reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity;
sid:xxxxxx; rev:1;)

Regards,
Packet Sleuth
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140922/3831f195/attachment.html>


More information about the Emerging-sigs mailing list