[Emerging-Sigs] Proposed Signature: PE/MZ SluttyPutty

Nathan nathan at packetmail.net
Mon Jun 22 05:09:28 HDT 2020


alert $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
SluttyPutty isDebuggerPresent in fake PE/MZ Putty executable";
flow:established,from_server; file_data; content:"|4D5A|"; depth:2;
filestore;
content:"https://www.chiark.greenend.org.uk/~sgtatham/putty/";
content"IsDebuggerPresent"; classtype:trojan-activity; sid:x; rev:1;)

Doubt this will ever generate a false positive.


More information about the Emerging-sigs mailing list