[Emerging-Sigs] Win32.Downloader.Small.BIL - CnC Checking rule

James Emery-Callcott jcallcott at emergingthreats.net
Mon Dec 11 05:46:48 HST 2017


Hi Arvind,

Thanks for sending this in.

We'll take a look and push to QA.

Thanks,
James.

On Sun, Dec 10, 2017 at 1:12 PM, Arvind Kumar <arvind.kumar12 at gmail.com>
wrote:

> Hi Guys,
>
> please find the attached rule and pcap
>
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"Win32.Downloader.Small.BIL - CnC Checking";
> flow:established,to_server;  content:"GET";  http_method;
> content:"/dll/index.php?a=Te";  http_uri;  fast_pattern;
> content:!"User-Agent:"; http_header; metadata: former_category TROJAN;
> reference:md5,4C669A60719FC1051FB336CB25B209FD;
> classtype:trojan-activity;  sid:2xxxxxx;  rev:1;
> metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
> attack_target Client_Endpoint,
> deployment Perimeter, signature_severity Major, created_at 2017_12_10,
> malware_family Small.BIL,
> performance_impact Moderate, updated_at 2017_12_10; )
>
>
> Warm regards
> Arvind Kumar
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
*James Emery-Callcott*
Security Researcher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171211/4b881bb7/attachment.html>


More information about the Emerging-sigs mailing list