[Emerging-Sigs] Update 2025152 and 2025153 signatures to DorkBot

James Emery-Callcott jcallcott at emergingthreats.net
Mon Feb 5 09:28:26 HST 2018


Hi John,

Thanks for submitting this.
We'll take a look, rename, and push the update asap.

Thanks,
James.

On Mon, Feb 5, 2018 at 6:47 PM, Attack Detection <
attackdetectionteam at gmail.com> wrote:

> Hi, we suggest update of signatures:
>
> "ET TROJAN [PTsecurity] Win32/Downloader.op17 CnC Response" sig: 2025152
> and
> "ET TROJAN [PTsecurity] Win32/Downloader.op17 CnC Beacon" sig: 2025153
> to
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN [PTsecurity]
> Dorkbot.Downloader C2 Response"; flow:established,to_client; dsize:517;
> content:"|45 36 27 18|"; depth:4; fast_pattern; metadata: former_category
> TROJAN; reference:url,https://research.checkpoint.com/dorkbot-an-investigation/;
> classtype:trojan-activity; sid:2025152; rev:2; metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
> deployment Perimeter, signature_severity Major, created_at 2017_12_15,
> performance_impact Low, updated_at 2018_02_05;)
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN [PTsecurity]
> Dorkbot.Downloader Request message"; flow:established,to_server; dsize:170;
> content:"|45 36 27 18|"; depth:4; fast_pattern; metadata: former_category
> TROJAN; reference:url,https://research.checkpoint.com/dorkbot-an-investigation/;
> classtype:trojan-activity; sid:2025153; rev:2; metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
> deployment Perimeter, signature_severity Major, created_at 2017_12_15,
> performance_impact Low, updated_at 2018_02_05;)
>
> Investigation because of which we decided to do so:
> https://research.checkpoint.com/dorkbot-an-investigation/
>
> The first message on this malware:
> https://lists.emergingthreats.net/pipermail/emerging-sigs/20
> 17-December/028545.html
>
> Best regards,
> John
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
*James Emery-Callcott*
Security Researcher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180205/bccbce1f/attachment.html>


More information about the Emerging-sigs mailing list