alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mydoom.O@mm
HTTP Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"&kgs=0&kls=0&nbq="; classtype:trojan-activity; sid:2008844; rev:1;)
Added 2008-12-03 17:49:56 UTC
This seems to go off for www.altavista.com requests which point to a yahoo DNS entry. 18.104.22.168 is the host I got
The uricontent parameters align with the default search terms.
- 08 Jan 2009
Thanks for the report. I've removed the sig. There's no real better way to put it, and the trojan is faded away anyway. Thanks for the report!!
- 09 Jan 2009