[Emerging-Sigs] Win32.Downloader.Small.BIL - CnC Checking rule

Arvind Kumar arvind.kumar12 at gmail.com
Sun Dec 10 03:12:52 HST 2017


Hi Guys,

please find the attached rule and pcap

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS
(msg:"Win32.Downloader.Small.BIL - CnC Checking";
flow:established,to_server;  content:"GET";  http_method;
content:"/dll/index.php?a=Te";  http_uri;  fast_pattern;
content:!"User-Agent:"; http_header; metadata: former_category TROJAN;
reference:md5,4C669A60719FC1051FB336CB25B209FD;
classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_12_10,
malware_family Small.BIL,
performance_impact Moderate, updated_at 2017_12_10; )


Warm regards
Arvind Kumar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171210/1a7964f7/attachment.html>
-------------- next part --------------
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"Win32.Downloader.Small.BIL - CnC Checking";  flow:established,to_server;  content:"GET";  http_method;  
content:"/dll/index.php?a=Te";  http_uri;  fast_pattern;  content:!"User-Agent:"; http_header; metadata: former_category TROJAN;  reference:md5,4C669A60719FC1051FB336CB25B209FD;
classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, 
deployment Perimeter, signature_severity Major, created_at 2017_12_10, malware_family Small.BIL, 
performance_impact Moderate, updated_at 2017_12_10; )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 1.pcap
Type: application/octet-stream
Size: 2116 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171210/1a7964f7/attachment.obj>


More information about the Emerging-sigs mailing list