<div dir="ltr"><div>Hey All,</div><div><br></div><div>I don't get much SIG writing time at the office so looking to improve on that. First sig submitted here on ET so apologize upfront if the formatting isn't correct. I tried to model it off some other sigs. Feedback/constructive criticism is very welcome.</div><div><br></div><div>Reference: <a href="http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html">http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html</a><br></div><div><br></div>alert tcp $HOME_NET any -> any any (msg:"ET TROJAN APT backdoor OSX.XSLCmd CnC Beacon"; flow:established, to_server; content:"POST"; offset:0; depth:4; content:"User-Agent: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1)"; fast_pattern; pcre:"/compose\.aspx\?s\=[A-Z0-9]{47}/"; content:"Accept-Encoding: gzip"; classtype:trojan-activity; reference:<a href="http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html">http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html</a>; sid:198386; rev:1;)<br><div><br></div><div>I took a stab at the bable fish GET mentioned in the post, but don't have a PCAP to test.</div><div><br></div><div>alert tcp $HOME_NET any -> any any (msg:"ET TROJAN APT backdoor OSX.XSLCmd Babelfish CnC Beacon"; flow:established, to_server; content:"GET"; offset:0; depth:3; content:"Host: <a href="http://babelfish.yahoo.com">babelfish.yahoo.com</a>"; fast_pattern; pcre:"/url\=http\:\/\/1234\/config\.htm\?/"; classtype:trojan-activity; reference:<a href="http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html">http://www.fireeye.com/blog/technical/malware-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html</a>; sid:198387; rev:1;)</div><div><br></div><div>Patrick</div></div>