alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:01:01 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:9;)

Added 2011-10-12 19:23:49 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; sid:2007771; rev:9;)

Added 2011-09-14 22:37:18 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:9;)

Added 2011-02-04 17:26:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:8;)

Added 2009-07-12 17:00:36 UTC

sample: GET /40e800142020202057202d4443574d414c393635393438366c0000003c66000000007600000002 HTTP/1.0

from this reference: http://www.secureworks.com/research/threats/pushdo/

-- RussellFulton - 16 Jul 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:8;)

Added 2009-07-12 17:00:36 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:7;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:7;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; sid:2007771; rev:6;)

Added 2008-07-08 15:24:40 UTC

sample (unconfirmed but we have seen these from several machines that turned out to be infected with something):

GET /40E800142020202020202020202020204C3931534B5032516C0000007366000000007600000642EB000530A0185080 HTTP/1.0....

-- RussellFulton - 18 Dec 2008


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; sid:2007771; rev:6;)

Added 2008-07-08 15:24:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; classtype:trojan-activity; sid:2007771; rev:5;)

Added 2008-05-19 15:02:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"202020"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:4;)

Added 2008-02-08 14:12:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:3;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:2;)

Added 2008-01-30 10:45:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:2;)

Added 2008-01-30 10:45:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:1;)

Added 2008-01-21 11:03:29 UTC

Seeing urls like so:

| 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | 8a2280ae500da644c8be23c624d74844 | GET hxxp://208.66.194.xx/40e8001448333053305035362020202020202020202020206c0000005866000000017600000002 | 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | 43dfb2e9ef3b03b32a93ad473641b12f | GET hxxp://208.66.195.xx/40E8001448333053305035362020202020202020202020206C0000003C66000000017600000004 | 62fb75d97a68da3e569699fc89d14422 | GET hxxp://208.66.195.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | e5ef616806ac5dee6c274c645ea1bf5d | GET hxxp://208.66.195.xx/40e800154d51303030302031202020202020202020202020036c0000003c66000000007600000002

-- MattJonkman - 21 Jan 2008


Topic revision: r5 - 2009-07-16 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats