alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; classtype:trojan-activity; sid:2010347; rev:4;)

Added 2011-10-12 19:29:32 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; sid:2010347; rev:4;)

Added 2011-09-14 22:42:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"land="; nocase; http_uri; content:"affid="; nocase; http_uri; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010347; rev:4;)

Added 2011-02-04 17:29:51 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"land="; nocase; uricontent:"affid="; nocase; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010347; rev:3;)

Added 2010-05-15 21:07:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"land="; nocase; uricontent:"affid="; nocase; pcre:"/\.php\?(land=\d+|affid=\d{5})&(land=\d+|affid=\d{5})$/Ui"; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010347; rev:3;)

Added 2010-05-15 21:07:53 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; uricontent:".php?land="; nocase; uricontent:"&affid="; nocase; pcre:"/\.php\?land=\d+&affid=\d{5}$/U"; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010347; rev:2;)

Added 2009-11-20 14:45:45 UTC

13:01:02.154876 IP 10.1.36.179.2725 > 194.60.205.20.80: P 0:600(600) ack 1 win 65535
        0x0000:  4500 0280 ce71 4000 8006 6c01 0a01 24b3  E....q@...l...$.
        0x0010:  c23c cd14 0aa5 0050 8288 09bb fc46 3264  .<.....P.....F2d
        0x0020:  5018 ffff d48f 0000 4745 5420 2f68 6974  P.......GET./hit
        0x0030:  696e 2e70 6870 3f6c 616e 643d 3230 2661  in.php?land=20&a
        0x0040:  6666 6964 3d39 3139 3032 2048 5454 502f  ffid=91902.HTTP/
        0x0050:  312e 310d 0a41 6363 6570 743a 2069 6d61  1.1..Accept:.ima
        0x0060:  6765 2f67 6966 2c20 696d 6167 652f 782d  ge/gif,.image/x-
        0x0070:  7862 6974 6d61 702c 2069 6d61 6765 2f6a  xbitmap,.image/j
        0x0080:  7065 672c 2069 6d61 6765 2f70 6a70 6567  peg,.image/pjpeg
        0x0090:  2c20 6170 706c 6963 6174 696f 6e2f 782d  ,.application/x-
        0x00a0:  7368 6f63 6b77 6176 652d 666c 6173 682c  shockwave-flash,
        0x00b0:  2061 7070 6c69 6361 7469 6f6e 2f76 6e64  .application/vnd
        0x00c0:  2e6d 732d 6578 6365 6c2c 2061 7070 6c69  .ms-excel,.appli
        0x00d0:  6361 7469 6f6e 2f76 6e64 2e6d 732d 706f  cation/vnd.ms-po
        0x00e0:  7765 7270 6f69 6e74 2c20 6170 706c 6963  werpoint,.applic
        0x00f0:  6174 696f 6e2f 6d73 776f 7264 2c20 6170  ation/msword,.ap
        0x0100:  706c 6963 6174 696f 6e2f 7861 6d6c 2b78  plication/xaml+x
        0x0110:  6d6c 2c20 6170 706c 6963 6174 696f 6e2f  ml,.application/
        0x0120:  766e 642e 6d73 2d78 7073 646f 6375 6d65  vnd.ms-xpsdocume
        0x0130:  6e74 2c20 6170 706c 6963 6174 696f 6e2f  nt,.application/
        0x0140:  782d 6d73 2d78 6261 702c 2061 7070 6c69  x-ms-xbap,.appli
        0x0150:  6361 7469 6f6e 2f78 2d6d 732d 6170 706c  cation/x-ms-appl
        0x0160:  6963 6174 696f 6e2c 202a 2f2a 0d0a 4163  ication,.*/*..Ac
        0x0170:  6365 7074 2d4c 616e 6775 6167 653a 2065  cept-Language:.e
        0x0180:  6e2d 7573 0d0a 5541 2d43 5055 3a20 7838  n-us..UA-CPU:.x8
        0x0190:  360d 0a41 6363 6570 742d 456e 636f 6469  6..Accept-Encodi
        0x01a0:  6e67 3a20 677a 6970 2c20 6465 666c 6174  ng:.gzip,.deflat
        0x01b0:  650d 0a55 7365 722d 4167 656e 743a 204d  e..User-Agent:.M
        0x01c0:  6f7a 696c 6c61 2f34 2e30 2028 636f 6d70  ozilla/4.0.(comp
        0x01d0:  6174 6962 6c65 3b20 4d53 4945 2037 2e30  atible;.MSIE.7.0
        0x01e0:  3b20 5769 6e64 6f77 7320 4e54 2035 2e31  ;.Windows.NT.5.1
        0x01f0:  3b20 2e4e 4554 2043 4c52 2031 2e31 2e34  ;..NET.CLR.1.1.4
        0x0200:  3332 323b 202e 4e45 5420 434c 5220 322e  322;..NET.CLR.2.
        0x0210:  302e 3530 3732 373b 202e 4e45 5420 434c  0.50727;..NET.CL
        0x0220:  5220 332e 302e 3034 3530 362e 3330 3b20  R.3.0.04506.30;.
        0x0230:  2e4e 4554 2043 4c52 2033 2e30 2e30 3435  .NET.CLR.3.0.045
        0x0240:  3036 2e36 3438 290d 0a48 6f73 743a 2074  06.648)..Host:.t
        0x0250:  6563 6873 6563 7572 6974 7974 6f6f 6c73  echsecuritytools
        0x0260:  2e6e 6574 0d0a 436f 6e6e 6563 7469 6f6e  .net..Connection
        0x0270:  3a20 4b65 6570 2d41 6c69 7665 0d0a 0d0a  :.Keep-Alive....

-- JackPepper - 25 Jan 2010


Topic revision: r2 - 2010-01-25 - JackPepper
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats