[Emerging-Sigs] Upatre change

Darien Huss dhuss at emergingthreats.net
Mon Sep 22 08:32:47 EDT 2014


Thanks, we'll take a look at these and get them into QA!

Regards,
Darien

On Mon, Sep 22, 2014 at 8:28 AM, Packet Sleuth <p4ck37sleuth at gmail.com>
wrote:

> Attempted to send this late Friday, but it failed.  Wanted to get it in.
> Haven't had time to test them yet.  This is being reported as Upatre by
> some of the AV vendors when submitted to Virus Total.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Upatre Suspicious User-Agent (Installer) with IP Host";
> flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|;
> nocase; http_header; pcre:
> "/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi";
> reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity;
> sid:xxxxxx; rev:1;)
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> Upatre downloading purported Tar file"; flow:to_client,established;
> content: "Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header;
> content: "Vary|3a20|"; nocase; http_header; pcre:
> "/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi";
> reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity;
> sid:xxxxxx; rev:1;)
>
> Regards,
> Packet Sleuth
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140922/ca9823ef/attachment.html>


More information about the Emerging-sigs mailing list