[Emerging-Sigs] ET TROJAN Win32/Bot.Sezin CnC Checkin

Arvind Kumar arvind.kumar12 at gmail.com
Tue Dec 12 22:45:34 HST 2017


Please find the attached rule and link to pcap folder
https://www.dropbox.com/sh/q39ixzh4gvbh9fp/AACW_oZt36wmLLG4tnSkSy3da?dl=0

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN
Win32/Bot.Sezin CnC Checkin";  flow:established,to_server;  content:"GET";
http_method; content:".php?machine_id=";  http_uri;  fast_pattern;
content:"&version=";  http_uri; content:"&video_card=";  http_uri;
content:"&cpu=";  http_uri; content:"&junk=";  http_uri;
content:!"User-Agent:"; http_header; metadata: former_category TROJAN;
reference:md5,73611bd5d1d0ad865cd26b003aa525b4;reference:url,twitter.com/
CryptoInsane/status/939517360389664769; classtype:trojan-activity;
sid:2xxxxxx;  rev:1;  metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit,
attack_target Client_Endpoint, deployment Perimeter, signature_severity
Major, created_at 2017_12_13, malware_family Randrew.A, performance_impact
Moderate, updated_at 2017_12_13; )


Warm regards

Arvind Kumar
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171213/e41715ba/attachment.html>
-------------- next part --------------
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN Win32/Bot.Sezin CnC Checkin";  flow:established,to_server;  content:"GET";  http_method; content:".php?machine_id=";  http_uri;  fast_pattern; content:"&version=";  http_uri; content:"&video_card=";  http_uri; content:"&cpu=";  http_uri; content:"&junk=";  http_uri; content:!"User-Agent:"; http_header; metadata: former_category TROJAN; reference:md5,73611bd5d1d0ad865cd26b003aa525b4;reference:url,twitter.com/CryptoInsane/status/939517360389664769; classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_13, malware_family Randrew.A, performance_impact Moderate, updated_at 2017_12_13; )


More information about the Emerging-sigs mailing list