[Emerging-Sigs] ET TROJAN Win32/Backdoor.YesMaster CnC Checkin

Jack Mott jmott at emergingthreats.net
Wed Dec 20 07:21:48 HST 2017


Hi Arvind,

Thanks for your contribution-- I will get this into QA!

Best,

Jack

On Tue, Dec 19, 2017 at 9:01 PM, Arvind Kumar <arvind.kumar12 at gmail.com>
wrote:

> Hi Team,
>
> Please find the attached rule and pcap file.
>
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN
> Win32/Backdoor.YesMaster CnC Checkin";  flow:established,to_server;
> content:"GET";  http_method; content:"x-whoami:";  http_header;
> fast_pattern; content:"x-pwd:";  http_header; content:"x-hostname:";
> http_header; content:"x-isadm";  http_header; content:"x-is64Env:";
> http_header; content:!"User-Agent:"; http_header; metadata: former_category
> TROJAN;  reference:md5,4941501aca63cb8bdc86dadeffc9c29c;
> classtype:trojan-activity;  sid:2xxxxxx;  rev:1;
> metadata:affected_product  Windows_XP_Vista_7_8_10_Server_32_64_Bit,
> attack_target Client_Endpoint, deployment Perimeter, signature_severity
> Major, created_at 2017_12_20, malware_family YesMaster, performance_impact
> Moderate, updated_at 2017_12_20; )
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20171220/61252dc2/attachment.html>


More information about the Emerging-sigs mailing list