alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css|0d 0a|"; nocase; http_header; content:"|0d 0a 0d 0a|MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:10;)

Added 2016-08-09 18:48:34 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; fast_pattern; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:5;)

Added 2013-06-11 21:40:32 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; distance:-64; fast_pattern; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:4;)

Added 2012-08-07 18:51:58 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:3;)

Added 2012-03-07 18:45:02 UTC


alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css|0d 0a|"; content:"|0d 0a|MZ"; within:500; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:2;)

Added 2011-10-12 19:28:31 UTC


alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css|0d 0a|"; content:"|0d 0a|MZ"; within:500; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; sid:2009909; rev:2;)

Added 2011-09-14 22:41:49 UTC


alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type|3a| text/css|0d 0a|"; content:"|0d 0a|MZ"; within:500; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009909; rev:2;)

Added 2011-02-04 17:29:19 UTC


alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type\: text/css|0d 0a|"; content:"|0d 0a|MZ"; within:500; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009909; rev:1;)

Added 2009-09-15 15:09:29 UTC


Topic revision: r1 - 2016-08-09 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats