##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blink.com related Backdoor Checkin"; flow:established,to_server; content:"/?vn="; nocase; http_uri; content:"&partner="; nocase; http_uri; content:"&ptag="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&se="; nocase; http_uri; content:"&au="; nocase; flowbits:set,ET.blink.get; reference:url,doc.emergingthreats.net/2007805; classtype:trojan-activity; sid:2007805; rev:3;)

Added 2012-01-23 20:19:03 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blink.com related Backdoor Checkin"; flow:established,to_server; content:"/?vn="; nocase; http_uri; content:"&partner="; nocase; http_uri; content:"&ptag="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&se="; nocase; http_uri; content:"&au="; nocase; flowbits:set,ET.blink.get; reference:url,doc.emergingthreats.net/2007805; classtype:trojan-activity; sid:2007805; rev:3;)

Added 2011-10-12 19:23:52 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blink.com related Backdoor Checkin"; flow:established,to_server; content:"/?vn="; nocase; http_uri; content:"&partner="; nocase; http_uri; content:"&ptag="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&se="; nocase; http_uri; content:"&au="; nocase; flowbits:set,ET.blink.get; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007805; sid:2007805; rev:3;)

Added 2011-09-14 22:37:21 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blink.com related Backdoor Checkin"; flow:established,to_server; content:"/?vn="; nocase; http_uri; content:"&partner="; nocase; http_uri; content:"&ptag="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&se="; nocase; http_uri; content:"&au="; nocase; flowbits:set,ET.blink.get; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007805; rev:3;)

Added 2011-02-04 17:26:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blink.com related Backdoor Checkin"; flow:established,to_server; uricontent:"/?vn="; nocase; uricontent:"&partner="; nocase; uricontent:"&ptag="; nocase; uricontent:"&b="; nocase; uricontent:"&se="; nocase; uricontent:"&au="; nocase; flowbits:set,ET.blink.get; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007805; rev:2;)

Added 2009-02-12 18:21:14 UTC

False positive for seekeen search application

GET /?vn=65583&partner=seekeen&ptag=SeeFreez&cid=548f84d3423c48b392f0722bc9166020&b=Seekeen&se=1&au=1&am=0&pver=1&retries=0 HTTP/1.0 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Host: upgrade.seekeen.com Pragma: no-cache Via: 1.0 REMOVED:3128 (squid/2.7.STABLE6) X-Forwarded-For: REMOVED Cache-Control: max-age=0 Connection: keep-alive

-- JohnMajestic - 21 Mar 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blink.com related Backdoor Checkin"; flow:established,to_server; uricontent:"/?vn="; nocase; uricontent:"&partner="; nocase; uricontent:"&ptag="; nocase; uricontent:"&b="; nocase; uricontent:"&se="; nocase; uricontent:"&au="; nocase; flowbits:set,ET.blink.get; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007805; rev:2;)

Added 2009-02-12 18:21:14 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blink.com related Backdoor Checkin"; flow:established,to_server; uricontent:"/?vn="; nocase; uricontent:"&partner="; nocase; uricontent:"&ptag="; nocase; uricontent:"&b="; nocase; uricontent:"&se="; nocase; uricontent:"&au="; nocase; flowbits:set,ET.blink.get; classtype:trojan-activity; sid:2007805; rev:1;)

Added 2008-02-01 09:16:23 UTC


Topic revision: r2 - 2009-03-21 - JohnMajestic
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats