#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; nocase; http_header; content:!"Host|3a| toolbar.live.com|0d 0a|"; nocase; http_header; content:!"Host|3a| downloadfree.avg.com|0d 0a|"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE"; content:"Accept|3a| */*"; http_header; content:".bin"; http_uri; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; classtype:trojan-activity; sid:2010348; rev:6;)

Added 2011-10-12 19:29:32 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; nocase; http_header; content:!"Host|3a| toolbar.live.com|0d 0a|"; nocase; http_header; content:!"Host|3a| downloadfree.avg.com|0d 0a|"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE"; content:"Accept|3a| */*"; http_header; content:".bin"; http_uri; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; sid:2010348; rev:6;)

Added 2011-09-14 22:42:46 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET"; http_method; content:!"Referer|3a|"; nocase; http_header; content:!"Host|3a| toolbar.live.com|0d 0a|"; nocase; http_header; content:!"Host|3a| downloadfree.avg.com|0d 0a|"; content:"User-Agent|3a| Mozilla/4.0 (compatible|3b| MSIE"; content:"Accept|3a| */*"; http_header; content:".bin"; http_uri; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:6;)

Added 2011-02-04 17:29:51 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:!"|0d 0a|Host|3a| toolbar.live.com|0d 0a|"; nocase; content:!"|0d 0a|Host\: downloadfree.avg.com|0d 0a|"; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:4;)

Added 2010-01-25 10:47:32 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:!"|0d 0a|Host|3a| toolbar.live.com|0d 0a|"; nocase; content:!"|0d 0a|Host\: downloadfree.avg.com|0d 0a|"; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:4;)

Added 2010-01-25 10:47:32 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:!"|0d 0a|Host|3a| toolbar.live.com|0d 0a|"; nocase; content:!"|0d 0a|Host\: downloadfree.avg.com|0d 0a|"; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:4;)

Added 2010-01-25 10:44:12 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:!"|0d 0a|Host|3a| toolbar.live.com|0d 0a|"; nocase; content:!"|0d 0a|Host\: downloadfree.avg.com|0d 0a|"; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:4;)

Added 2010-01-25 10:44:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:!"|0d 0a|Host|3a| toolbar.live.com|0d 0a|"; nocase; content:!"|0d 0a|Host\: downloadfree.avg.com|0d 0a|"; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:4;)

Added 2010-01-08 16:30:45 UTC

FP from AVG.....

GET /softw/90free/update/u9iavi2641u2640uq.bin HTTP/1.1..Use r-Agent: AVGINET9-WVSHX86 90FREE AVI=271.1.1/2640 BUILD=730 LOC=1033 LIC=9AVFREE-VKPCB-6BWFM-TRLQR-BRUHP-CP86G DIAG=1300 OPF=0 PCA=..Host: af.avg.com

-- RussellFulton - 24 Jan 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:!"|0d 0a|Host|3a| toolbar.live.com|0d 0a|"; nocase; content:!"|0d 0a|Host\: downloadfree.avg.com|0d 0a|"; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:4;)

Added 2010-01-08 16:30:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:!"|0d 0a|Host|3a| toolbar.live.com|0d 0a|"; nocase; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:3;)

Added 2009-12-17 16:30:42 UTC

Grisoft AVG free users downloading AVG for the first time or pulling updates seem to trigger this rule with a GET of a .BIN file from host name downloadfree.avg.com or download.avg.com.

For example:

GET /pupdate/u7avi1835ar.bin HTTP/1.1

Accept: /

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; InfoPath?.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)

Cookie: s_cc=true; s_sq=avgcorporatepublicww%3D%2526pid%253Dhttp%25253A//www.avg.com/us-en/download-8%25253Fprd%25253Dais%2526pidt%253D1%2526oid%253Dhttp%25253A//www.avg.com/us-en/download-8%25253Fprd%25253Dais%252523tba4%2526ot%253DA%2526oi%253D47; avg_eshop_chsel=inhouse; avg_eshop_cart=xxx; avgcallback=xxx; AVGCSC110=xxx

Connection: Keep-Alive

Host: downloadfree.avg.com

Perhaps something like this could be added to the rule as was done for toolbar.live.com

content:!"|0d 0a|Host|3a| download.avg.com|0d 0a|"; nocase;

content:!"|0d 0a|Host|3a| downloadfree.avg.com|0d 0a|"; nocase;

-- KevinBranch - 08 Jan 2010

Just added a content negate for downloadfree.avg.com. That should solve the issue. Thanks Kevin!

-- MattJonkman - 08 Jan 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:!"|0d 0a|Host|3a| toolbar.live.com|0d 0a|"; nocase; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:3;)

Added 2009-12-17 16:30:42 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Possible Zeus/Perkesh (.bin) configuration download"; flow:established,to_server; content:"GET "; depth:4; content:!"|0d 0a|Referer|3a|"; nocase; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE"; content:"|0d 0a|Accept|3a| */*|0d 0a|"; uricontent:".bin"; pcre:"/\/[0-9A-Z]+\/[0-9A-Z]+\.bin$/Ui"; classtype:trojan-activity; reference:url,zeustracker.abuse.ch; reference:url,doc.emergingthreats.net/2010348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Zeus; sid:2010348; rev:2;)

Added 2009-11-20 15:45:42 UTC


Topic revision: r4 - 2010-01-24 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats