[Emerging-Sigs] Rule for ET TROJAN Win32/Backdoor.Small.ao

James Emery-Callcott jcallcott at emergingthreats.net
Sun Feb 18 22:48:48 HST 2018


Hi Arvind,

Thanks for submitting this signature.
We'll take a look and push to QA asap.

Thanks,
James.

On Mon, Feb 19, 2018 at 7:11 AM, Arvind Kumar <arvind.kumar12 at gmail.com>
wrote:

>
> Hi Team,
>
> Please find the attached rule for ET TROJAN Win32/Backdoor.Small.ao
>
>
> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN
> Win32/Backdoor.Small.ao CnC Checkin";  flow:established,to_server;
> content:"POST";  http_method; content:"/waiting";  fast_pattern; http_uri;
> content:"User-Agent: BC"; http_header; metadata: former_category TROJAN;
> reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c;
> classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product
> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
> deployment Perimeter, signature_severity Major, created_at 2018_02_19,
> malware_family Agent, performance_impact Moderate, updated_at 2018_02_19; )
>
>
>
> Malware pcap download link:  https://www.sendspace.com/file/z6i5cr
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
*James Emery-Callcott*
Security Researcher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180219/eb512acf/attachment.html>


More information about the Emerging-sigs mailing list