alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Comfoo Outbound Communication"; flow:established,to_server; content:"Accept-Language|3a 20|en-en|0d 0a|"; http_header; content:"|3b|Windows|20|"; http_user_agent; nocase; reference:url,doc.emergingthreats.net/2009125; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2009125; rev:15;)

Added 2015-11-13 17:12:30 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.Win32.Inject.esi/Comfoo Outbound Communication"; flow:established,to_server; content:"Accept-Language|3a 20|en-en|0d 0a|"; content:"|3b|Windows|20|"; fast_pattern:only; nocase; reference:url,doc.emergingthreats.net/2009125; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/; classtype:trojan-activity; sid:2009125; rev:15;)

Added 2013-07-31 18:43:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"Accept-Language|3a 20|en-en|0d 0a|"; fast_pattern:only; http_header; content:"|3b|Windows|20|"; http_header; reference:url,doc.emergingthreats.net/2009125; classtype:trojan-activity; sid:2009125; rev:11;)

Added 2011-10-20 15:10:33 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"Accept-Language|3a 20|en-en|0d 0a|"; fast_pattern:only; http_header; content:"|3b|Windows|20|NT"; http_header; reference:url,doc.emergingthreats.net/2009125; classtype:trojan-activity; sid:2009125; rev:10;)

Added 2011-10-12 19:26:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"Accept-Language|3a 20|en-en|0d 0a|"; fast_pattern:only; http_header; content:"|3b|Windows|20|NT"; http_header; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; sid:2009125; rev:10;)

Added 2011-09-23 21:42:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language|3a| en-en"; nocase; pcre:"/\/[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{5}\/\d{1,5}\/\d{2}[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{3}\//sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; sid:2009125; rev:9;)

Added 2011-09-14 22:40:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language|3a| en-en"; nocase; pcre:"/\/[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{5}\/\d{1,5}\/\d{2}[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{3}\//sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:9;)

Added 2011-02-04 17:28:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; nocase; pcre:"/\/[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{5}\/\d{1,5}\/\d{2}[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{3}\//sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:8;)

Added 2009-04-03 15:06:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; nocase; pcre:"/\/[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{5}\/\d{1,5}\/\d{2}[A-Za-z0-9]{2,16}\/[A-Za-z0-9]{2,16}\d{3}\//sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:8;)

Added 2009-04-03 15:06:16 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; nocase; pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:7;)

Added 2009-03-11 19:30:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language\: en-en"; nocase; pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:7;)

Added 2009-03-11 19:30:25 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:stateless; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language"; nocase; pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:6;)

Added 2009-03-10 19:00:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:stateless; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language"; nocase; pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009125; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Netnam; sid:2009125; rev:6;)

Added 2009-03-10 19:00:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:stateless; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language"; nocase; pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; classtype:trojan-activity; sid:2009125; rev:5;)

Added 2009-03-10 16:45:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:stateless; content:"GET "; depth:4; isdataat:62,relative; content:"|0d 0a|Accept-Language"; nocase; pcre:"/\/[ACD][GWm]\w{9}\/[XVU][TjQTD]\w{14}\/\d{4,5}\/\d{2}[VWX](\w{9}|\w{6})\/([XZUV]\w{13}\d{3}|\w{2}\/\w{7}\/\w{6}\d{3})/sm"; classtype:trojan-activity; sid:2009125; rev:5;)

Added 2009-03-10 16:45:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; content:"/"; distance:0; content:!"|0d 0a|"; within:62; content:"/"; distance:16; within:1; content:"/"; distance:3; within:5; content:"/"; distance:12; within:1; content:"/|0d 0a|"; distance:17; within:3; pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; classtype:trojan-activity; sid:2009125; rev:3;)

Added 2009-03-10 13:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; content:"/"; distance:0; content:!"|0d 0a|"; within:62; content:"/"; distance:16; within:1; content:"/"; distance:3; within:5; content:"/"; distance:12; within:1; content:"/|0d 0a|"; distance:17; within:3; pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; classtype:trojan-activity; sid:2009125; rev:3;)

Added 2009-03-10 13:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; content:"/"; distance:0; content:"/"; distance:16; within:1; content:"/"; distance:3; within:5; content:"/"; distance:12; within:1; content:"/|0d 0a|"; distance:17; within:3; pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; classtype:trojan-activity; sid:2009125; rev:2;)

Added 2009-03-10 12:00:24 UTC

Example:

http ://www.jeepworker.com/CmoJb3BgLB4/VjNbaTA4WEg13132/22236/12XjZca2c1aQ/VztSOzM1bU1rVw721/
GET /CmoJb3BgLB4/VjNbaTA4WEg13132/22236/12XjZca2c1aQ/VztSOzM1bU1rVw721/ HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: en-en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;Windows NT 5.1)
Host: www.jeepworker.com 
Cache-Control: no-cache

-- MattJonkman - 10 Mar 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET "; depth:4; content:"/"; distance:0; content:"/"; distance:16; within:1; content:"/"; distance:3; within:5; content:"/"; distance:12; within:1; content:"/|0d 0a|"; distance:17; within:3; pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; classtype:trojan-activity; sid:2009125; rev:2;)

Added 2009-03-10 12:00:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Inject.esi Outbound Communication"; flow:established,to_server; content:"GET /"; depth:5; content:"/"; distance:11; within:1; content:"/"; distance:16; within:1; content:"/"; distance:3; within:5; content:"/"; distance:12; within:1; content:"/|0d 0a|"; distance:17; within:3; pcre:"/[A-Za-z0-9]{11}/[A-Za-z0-9]{16}/\d+/[A-Za-z0-9]{12}/[A-Za-z0-9]{17}/U"; classtype:trojan-activity; sid:2009125; rev:1;)

Added 2009-03-10 11:30:24 UTC


Topic revision: r2 - 2009-03-10 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats