alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; content:"?nid_mac="; http_uri; content:"&nid_os_ver=Windows"; http_uri;content:"&nid_ie_ver="; http_uri; reference:url,doc.emergingthreats.net/2008592; classtype:trojan-activity; sid:2008592; rev:3;)

Added 2011-10-12 19:25:26 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; content:"?nid_mac="; http_uri; content:"&nid_os_ver=Windows"; http_uri;content:"&nid_ie_ver="; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008592; sid:2008592; rev:3;)

Added 2011-09-14 22:38:52 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; content:"?nid_mac="; http_uri; content:"&nid_os_ver=Windows"; http_uri;content:"&nid_ie_ver="; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008592; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Nbar.co.kr; sid:2008592; rev:3;)

Added 2011-02-04 17:27:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; uricontent:"?nid_mac="; uricontent:"&nid_os_ver=Windows"; uricontent:"&nid_ie_ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008592; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Nbar.co.kr; sid:2008592; rev:2;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; uricontent:"?nid_mac="; uricontent:"&nid_os_ver=Windows"; uricontent:"&nid_ie_ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008592; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Nbar.co.kr; sid:2008592; rev:2;)

Added 2009-02-13 19:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nbar.co.kr Related Trojan Checkin"; flow:established,to_server; uricontent:"?nid_mac="; uricontent:"&nid_os_ver=Windows"; uricontent:"&nid_ie_ver="; classtype:trojan-activity; sid:2008592; rev:1;)

Added 2008-09-26 21:15:21 UTC

sample (unconfirmed but sure fits the pattern):

GET /app/install.php?nid_mac=00-07-E9-5F-BD-64&nid_os_ver=Windows%20XP&nid_ie_ver=6.0.2900.2180&md=29 HTTP/1.1..Content-
Type: text/xml..Host: log.nbar.co.kr

-- RussellFulton - 30 Nov 2008


Topic revision: r2 - 2008-11-30 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats