[Emerging-Sigs] ET TROJAN Win32/Backdoor.YesMaster CnC Checkin

Arvind Kumar arvind.kumar12 at gmail.com
Tue Dec 19 18:01:18 HST 2017


Hi Team,

Please find the attached rule and pcap file.

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
Win32/Backdoor.YesMaster CnC Checkin";  flow:established,to_server;
content:"GET";  http_method; content:"x-whoami:";  http_header;
fast_pattern; content:"x-pwd:";  http_header; content:"x-hostname:";
http_header; content:"x-isadm";  http_header; content:"x-is64Env:";
http_header; content:!"User-Agent:"; http_header; metadata: former_category
TROJAN;  reference:md5,4941501aca63cb8bdc86dadeffc9c29c;
classtype:trojan-activity;  sid:2xxxxxx;  rev:1;
metadata:affected_product  Windows_XP_Vista_7_8_10_Server_32_64_Bit,
attack_target Client_Endpoint, deployment Perimeter, signature_severity
Major, created_at 2017_12_20, malware_family YesMaster, performance_impact
Moderate, updated_at 2017_12_20; )
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171220/4b2200f5/attachment-0001.html>
-------------- next part --------------
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Backdoor.YesMaster CnC Checkin";  flow:established,to_server;  content:"GET";  http_method; content:"x-whoami:";  http_header;  fast_pattern; content:"x-pwd:";  http_header; content:"x-hostname:";  http_header; content:"x-isadm";  http_header; content:"x-is64Env:";  http_header; content:!"User-Agent:"; http_header; metadata: former_category TROJAN;  reference:md5,4941501aca63cb8bdc86dadeffc9c29c;  classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product  Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2017_12_20, malware_family YesMaster, performance_impact Moderate, updated_at 2017_12_20; )
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 4941501aca63cb8bdc86dadeffc9c29c.pcap
Type: application/octet-stream
Size: 131488 bytes
Desc: not available
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171220/4b2200f5/attachment-0001.obj>


More information about the Emerging-sigs mailing list