[Emerging-Sigs] ET TROJAN Win32/Bot.Sezin CnC Checkin

James Emery-Callcott jcallcott at emergingthreats.net
Wed Dec 13 05:48:49 HST 2017


Hi Arvind,

Thanks for sending this in.

We'll take a look at your revised signature and push to QA asap.

Thanks,
James.

On Wed, Dec 13, 2017 at 10:25 AM, Arvind Kumar <arvind.kumar12 at gmail.com>
wrote:

> Hi Guys,
>
> Minor update to signature rev2 and link to pcap folder https://www.dropbo
> x.com/sh/q39ixzh4gvbh9fp/AACW_oZt36wmLLG4tnSkSy3da?dl=0
>
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN
> Win32/Bot.Sezin CnC Checkin";  flow:established,to_server;  content:"GET";
> http_method; content:".php?machine_id=";  http_uri;  fast_pattern;
> content:"&version=";  http_uri; content:"&video_card=";  http_uri;
> content:"&cpu=";  http_uri; content:"&junk=";  http_uri;
> content:!"User-Agent:"; http_header; metadata: former_category TROJAN;
> reference:md5,73611bd5d1d0ad865cd26b003aa525b4;reference:url,twitter.com/
> CryptoInsane/status/939517360389664769; classtype:trojan-activity;
> sid:2xxxxxx;  rev:2;  metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit,
> attack_target Client_Endpoint, deployment Perimeter, signature_severity
> Major, created_at 2017_12_13, malware_family Sezin, performance_impact
> Moderate, updated_at 2017_12_13; )
>
> On Wed, Dec 13, 2017 at 2:15 PM, Arvind Kumar <arvind.kumar12 at gmail.com>
> wrote:
>
>> Please find the attached rule and link to pcap folder https://www.dropbo
>> x.com/sh/q39ixzh4gvbh9fp/AACW_oZt36wmLLG4tnSkSy3da?dl=0
>>
>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN
>> Win32/Bot.Sezin CnC Checkin";  flow:established,to_server;  content:"GET";
>> http_method; content:".php?machine_id=";  http_uri;  fast_pattern;
>> content:"&version=";  http_uri; content:"&video_card=";  http_uri;
>> content:"&cpu=";  http_uri; content:"&junk=";  http_uri;
>> content:!"User-Agent:"; http_header; metadata: former_category TROJAN;
>> reference:md5,73611bd5d1d0ad865cd26b003aa525b4;reference:url,
>> twitter.com/CryptoInsane/status/939517360389664769;
>> classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product
>> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
>> deployment Perimeter, signature_severity Major, created_at 2017_12_13,
>> malware_family Randrew.A, performance_impact Moderate, updated_at
>> 2017_12_13; )
>>
>>
>> Warm regards
>>
>> Arvind Kumar
>>
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
*James Emery-Callcott*
Security Researcher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171213/18f4c23f/attachment-0001.html>


More information about the Emerging-sigs mailing list