[Emerging-Sigs] Proposed Signature: PE/MZ SluttyPutty

Jason Taylor jastaylor at emergingthreats.net
Tue Jun 23 05:55:09 HDT 2020


Hi Nathan!

Sorry for the delayed response, I formulated a reply in my head but
apparently never sent an actual email.

Thanks for the sig, we will get it in QA for today!

JT

On Mon, Jun 22, 2020 at 10:09 AM Nathan via Emerging-sigs
<emerging-sigs at lists.emergingthreats.net> wrote:
>
> alert $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN
> SluttyPutty isDebuggerPresent in fake PE/MZ Putty executable";
> flow:established,from_server; file_data; content:"|4D5A|"; depth:2;
> filestore;
> content:"https://www.chiark.greenend.org.uk/~sgtatham/putty/";
> content"IsDebuggerPresent"; classtype:trojan-activity; sid:x; rev:1;)
>
> Doubt this will ever generate a false positive.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
>


More information about the Emerging-sigs mailing list