alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FakeAV? Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:19; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 21:03:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/P"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:19;)

Added 2012-04-23 23:04:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; nocase; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:18;)

Added 2012-03-16 17:40:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; classtype:trojan-activity; sid:2010337; rev:17;)

Added 2011-10-12 19:29:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/"; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; sid:2010337; rev:17;)

Added 2011-09-14 22:42:44 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/"; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010337; rev:17;)

Added 2011-02-04 17:29:50 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/"; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010337; rev:17;)

Added 2011-02-04 17:03:33 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to resolution|borders.php"; flow:to_server,established; content:"POST"; http_method; content:"Cache-Control|3a| no-cache"; http_header; content:"data=CjEf"; http_client_body; depth:9; fast_pattern; pcre:"/data=[a-zA-Z0-9\+\/]{64}/"; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010337; rev:17;)

Added 2011-02-04 16:48:29 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|"; within:300; content:"data=CjEf"; distance:0; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010337; rev:8;)

Added 2010-07-01 21:33:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV? Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|"; within:300; content:"data=CjEf"; distance:0; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010337; rev:8;)

Added 2010-07-01 21:33:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|"; within:300; content:"data=CjEf"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; sid:2010337; rev:7;)

Added 2010-06-28 23:01:55 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|"; within:300; content:"data=CjEf"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; sid:2010337; rev:7;)

Added 2010-06-28 23:01:55 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; sid:2010337; rev:5;)

Added 2010-05-20 10:46:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; sid:2010337; rev:5;)

Added 2010-05-20 10:46:05 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; sid:2010337; rev:5;)

Added 2010-05-20 10:43:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; sid:2010337; rev:5;)

Added 2010-05-20 10:43:59 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Infection Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; sid:2010337; rev:4;)

Added 2010-01-11 12:00:46 UTC

reference: http://greatis.com/blog/how-to-remove-malware/removed-66ba574b-1e11-49b8-909c-8cc9e0e8e015-job.htm

Seems to match perfectly, both host names and url....

-- RussellFulton - 25 Feb 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Infection Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss; sid:2010337; rev:4;)

Added 2010-01-11 12:00:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Infection Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2010337; rev:3;)

Added 2009-11-20 16:15:43 UTC

possible ref: http://www.sophos.com/security/analyses/viruses-and-spyware/trojagentmbr.html?_log_from=rss

our host was visiting site referenced in above article

-- RussellFulton - 11 Jan 2010

Added, thanks Russell!

-- MattJonkman - 11 Jan 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Infection Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Unknown; sid:2010337; rev:3;)

Added 2009-11-20 16:15:43 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Infection Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; sid:2010337; rev:2;)

Added 2009-11-20 03:30:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Infection Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; sid:2010337; rev:2;)

Added 2009-11-20 03:30:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Infection Reporting - POST often to [resolution|borders].php"; flow:to_server,established; content:"POST /"; depth:6; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|data=/CjEf"; within:300; classtype:trojan-activity; sid:2010337;)

Added 2009-11-16 10:15:45 UTC


Topic revision: r4 - 2010-02-25 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats