[Emerging-Sigs] Rule for ET TROJAN Win32/Backdoor.Small.ao

Arvind Kumar arvind.kumar12 at gmail.com
Mon Feb 19 00:51:39 HST 2018


Hi James,

My bad here. It seems signature requires update as the DST port is 2007
with CnC Communication. I have updated the sig revision to 2.

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:" ET TROJAN Win32/
Backdoor.Small.ao CnC Checkin";  flow:established,to_server;  content:"POST
";  depth:5; content:"/waiting";  fast_pattern; depth:64;
content:"User-Agent: BC"; distance:0; metadata: former_category TROJAN;
reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c;
classtype:trojan-activity;  sid:2xxxxxx;  rev:2;  metadata:affected_product
Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
deployment Perimeter, signature_severity Major, created_at 2018_02_19,
malware_family Agent, performance_impact Moderate, updated_at 2018_02_19; )

Warm Regards

Arvind Kumar

On Mon, Feb 19, 2018 at 2:18 PM, James Emery-Callcott <
jcallcott at emergingthreats.net> wrote:

> Hi Arvind,
>
> Thanks for submitting this signature.
> We'll take a look and push to QA asap.
>
> Thanks,
> James.
>
> On Mon, Feb 19, 2018 at 7:11 AM, Arvind Kumar <arvind.kumar12 at gmail.com>
> wrote:
>
>>
>> Hi Team,
>>
>> Please find the attached rule for ET TROJAN Win32/Backdoor.Small.ao
>>
>>
>> alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:" ET TROJAN
>> Win32/Backdoor.Small.ao CnC Checkin";  flow:established,to_server;
>> content:"POST";  http_method; content:"/waiting";  fast_pattern; http_uri;
>> content:"User-Agent: BC"; http_header; metadata: former_category TROJAN;
>> reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c;
>> classtype:trojan-activity;  sid:2xxxxxx;  rev:1;  metadata:affected_product
>> Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint,
>> deployment Perimeter, signature_severity Major, created_at 2018_02_19,
>> malware_family Agent, performance_impact Moderate, updated_at 2018_02_19; )
>>
>>
>>
>> Malware pcap download link:  https://www.sendspace.com/file/z6i5cr
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
>
> --
> *James Emery-Callcott*
> Security Researcher
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20180219/c1903b5d/attachment.html>
-------------- next part --------------
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:" ET TROJAN Win32/Backdoor.Small.ao CnC Checkin";  flow:established,to_server;  content:"POST ";  depth:5; content:"/waiting";  fast_pattern; depth:64; content:"User-Agent: BC"; distance:0; metadata: former_category TROJAN; reference:md5,e8c9d8ffe8fae54b15262bf9aeb4172c;  classtype:trojan-activity;  sid:2xxxxxx;  rev:2;  metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, signature_severity Major, created_at 2018_02_19, malware_family Agent, performance_impact Moderate, updated_at 2018_02_19; )


More information about the Emerging-sigs mailing list