##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blink.com related Upgrade Command Given"; flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging|3a| This is an important download|0d 0a|Location|3a| http|3a|//"; reference:url,doc.emergingthreats.net/2007806; classtype:trojan-activity; sid:2007806; rev:3;)

Added 2012-01-23 20:19:03 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Blink.com related Upgrade Command Given"; flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging|3a| This is an important download|0d 0a|Location|3a| http|3a|//"; reference:url,doc.emergingthreats.net/2007806; classtype:trojan-activity; sid:2007806; rev:3;)

Added 2011-10-12 19:23:52 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Blink.com related Upgrade Command Given"; flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging|3a| This is an important download|0d 0a|Location|3a| http|3a|//"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007806; sid:2007806; rev:3;)

Added 2011-09-14 22:37:21 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Blink.com related Upgrade Command Given"; flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging|3a| This is an important download|0d 0a|Location|3a| http|3a|//"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007806; rev:3;)

Added 2011-02-04 17:26:54 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Blink.com related Upgrade Command Given";flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging\: This is an important download|0d 0a|Location\: http\://"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007806; rev:2;)

Added 2009-02-12 18:21:14 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Blink.com related Upgrade Command Given";flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging\: This is an important download|0d 0a|Location\: http\://"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007806; rev:2;)

Added 2009-02-12 18:21:14 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Blink.com related Upgrade Command Given";flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging\: This is an important download|0d 0a|Location\: http\://"; classtype:trojan-activity; sid:2007806; rev:1;)

Added 2008-02-01 09:16:23 UTC

HTTP Request like so:

GET /?vn=65550&partner=blink&ptag=BLINK114&b=Blink&se=1&au=1&am=1 HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Host: upgrade.blink.com
Pragma: no-cache

HTTP/1.1 302 Found
Connection: close
Date: Fri, 25 Jan 2008 05:35:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
partner: blink
Content-Length: 0
cid: 79bd655ef2314b79ad8f5aa1f1604948
X-Messaging: This is an important download
Location: http://upgrade.blink.com/download/Blink/1_5/upgrade.cab?upg=path
Cache-Control: private
Content-Type: text/html

Then the client of course grabs the new url.

-- MattJonkman - 01 Feb 2008


Topic revision: r2 - 2008-02-01 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats