[Emerging-Sigs] Upatre change

Steve Eskew SEskew at jackhenry.com
Mon Sep 22 08:49:28 EDT 2014


Just saw an error in the first one.  What I get for working late.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: "/^User\x2dAgent\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; sid:xxxxxx; rev:1;)

Packet Sleuth


From: emerging-sigs-bounces at lists.emergingthreats.net [mailto:emerging-sigs-bounces at lists.emergingthreats.net] On Behalf Of Darien Huss
Sent: Monday, September 22, 2014 7:33 AM
To: Packet Sleuth
Cc: Emerging Sigs
Subject: Re: [Emerging-Sigs] Upatre change

Thanks, we'll take a look at these and get them into QA!

Regards,
Darien

On Mon, Sep 22, 2014 at 8:28 AM, Packet Sleuth <p4ck37sleuth at gmail.com<mailto:p4ck37sleuth at gmail.com>> wrote:
Attempted to send this late Friday, but it failed.  Wanted to get it in.  Haven't had time to test them yet.  This is being reported as Upatre by some of the AV vendors when submitted to Virus Total.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Upatre Suspicious User-Agent (Installer) with IP Host"; flow:established,to_server; content:"User-Agent|3a20|Installer|0d0a|; nocase; http_header; pcre: "/^User\x3a\sInstaller\r\nHost\x3a\s\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype:trojan-activity; sid:xxxxxx; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Upatre downloading purported Tar file"; flow:to_client,established; content: "Content-Type|3a20|application/x-tar|0d0a|; nocase; http_header; content: "Vary|3a20|"; nocase; http_header; pcre: "/Vary\x3a\x20(Accept-Encoding,)?User-Agent\r\n\r\n/Hi"; reference:md5,8f602ab1e9288adbb80a93e50bdbe144; classtype: trojan-activity; sid:xxxxxx; rev:1;)

Regards,
Packet Sleuth

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs at lists.emergingthreats.net<mailto:Emerging-sigs at lists.emergingthreats.net>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net


NOTICE: This electronic mail message and any files transmitted with it are intended
exclusively for the individual or entity to which it is addressed. The message, 
together with any attachment, may contain confidential and/or privileged information.
Any unauthorized review, use, printing, saving, copying, disclosure or distribution 
is strictly prohibited. If you have received this message in error, please 
immediately advise the sender by reply email and delete all copies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140922/03216f53/attachment-0001.html>


More information about the Emerging-sigs mailing list