alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; reference:url,doc.emergingthreats.net/2007611; classtype:trojan-activity; sid:2007611; rev:8;)

Added 2011-10-12 19:23:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007611; sid:2007611; rev:8;)

Added 2011-09-14 22:36:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority|3a| 1|0d 0a|X-Library|3a| Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails; sid:2007611; rev:8;)

Added 2011-02-04 17:26:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails; sid:2007611; rev:7;)

Added 2009-05-11 20:45:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails; sid:2007611; rev:7;)

Added 2009-05-11 20:45:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails; sid:2007611; rev:6;)

Added 2009-02-13 19:15:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Infection_Emails; sid:2007611; rev:6;)

Added 2009-02-13 19:15:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:5;)

Added 2008-03-08 21:31:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET MALWARE Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:5;)

Added 2008-03-08 21:31:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:4;)

Added 2008-01-31 18:48:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:4;)

Added 2008-01-31 18:48:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:3;)

Added 2007-11-14 03:46:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:3;)

Added 2007-11-14 03:46:00 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:2;)

Added 2007-09-09 15:20:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:2;)

Added 2007-09-09 15:20:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority: 1|0d 0a|X-Library: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:1;)

Added 2007-09-09 00:02:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority: 1|0d 0a|X-Library: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:1;)

Added 2007-09-09 00:02:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body"; flow:established,to_server; content:"|0d 0a|X-Priority: 1|0d 0a|X-Library: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:1;)

Added 2007-09-08 11:56:32 UTC

See a lot of trojans and credential stealing agents report an infection with a blank email to a free email service. Looks like so:

0000   53 75 62 6a 65 63 74 3a 20 4e 6f 76 6f 3a 42 4f  Subject: Novo:BO
0010   42 54 57 4f 0d 0a 54 6f 3a 20 62 69 73 73 62 72  BTWO..To: bissbr
0020   61 73 69 6c 40 67 6d 61 69 6c 2e 63 6f 6d 0d 0a  asil@gmail.com..
0030   44 61 74 65 3a 20 54 68 75 2c 20 38 20 53 65 70  Date: Thu, 8 Sep
0040   20 32 30 30 35 20 30 37 3a 31 31 3a 33 30 20 2d   2005 07:11:30 -
0050   30 34 30 30 0d 0a 58 2d 50 72 69 6f 72 69 74 79  0400..X-Priority
0060   3a 20 31 0d 0a 58 2d 4c 69 62 72 61 72 79 3a 20  : 1..X-Library: 
0070   49 6e 64 79 20 39 2e 30 30 2e 31 30 0d 0a 0d 0a  Indy 9.00.10....
0080   2e 0d 0a                                         ...

This sig should catch those, since they usually use the indy mail lib and no body.

As you can see above, the dead drop email is bissbrasil@gmail.com (reported). If you get a hit on this it doesn't guarantee an infection, but you should verify why and where to a blank email was sent from a workstation.

-- MattJonkman - 08 Sep 2007


Topic revision: r2 - 2007-09-08 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats