[Emerging-Sigs] Update 2025152 and 2025153 signatures to DorkBot

Attack Detection attackdetectionteam at gmail.com
Mon Feb 5 08:47:34 HST 2018


Hi, we suggest update of signatures:

"ET TROJAN [PTsecurity] Win32/Downloader.op17 CnC Response" sig: 2025152
and
"ET TROJAN [PTsecurity] Win32/Downloader.op17 CnC Beacon" sig: 2025153
to

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity]
Dorkbot.Downloader C2 Response"; flow:established,to_client; dsize:517;
content:"|45 36 27 18|"; depth:4; fast_pattern; metadata: former_category
TROJAN; reference:url,https://research.checkpoint.com/dorkbot-an-investigation/;
classtype:trojan-activity; sid:2025152; rev:2; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_12_15,
performance_impact Low, updated_at 2018_02_05;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity]
Dorkbot.Downloader Request message"; flow:established,to_server; dsize:170;
content:"|45 36 27 18|"; depth:4; fast_pattern; metadata: former_category
TROJAN; reference:url,https://research.checkpoint.com/dorkbot-an-investigation/;
classtype:trojan-activity; sid:2025153; rev:2; metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2017_12_15,
performance_impact Low, updated_at 2018_02_05;)

Investigation because of which we decided to do so:
https://research.checkpoint.com/dorkbot-an-investigation/

The first message on this malware:
https://lists.emergingthreats.net/pipermail/emerging-sigs/
2017-December/028545.html

Best regards,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180205/97e6fd19/attachment.html>


More information about the Emerging-sigs mailing list