alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:!"Accept-Encoding|3a| "; nocase; http_header; content:".php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; classtype:trojan-activity; sid:2010743; rev:7;)

Added 2011-10-12 19:30:28 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:!"Accept-Encoding|3a| "; nocase; http_header; content:".php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; sid:2010743; rev:7;)

Added 2011-09-14 22:43:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Referer|3a| "; http_header; nocase; content:!"Accept-Encoding|3a| "; nocase; http_header; content:".php?"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&b="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla; sid:2010743; rev:7;)

Added 2011-02-04 17:30:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"&id="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla; sid:2010743; rev:4;)

Added 2010-02-08 09:46:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"&id="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla; sid:2010743; rev:4;)

Added 2010-02-08 09:46:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"&id="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; sid:2010743; rev:3;)

Added 2010-02-03 16:31:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin (1)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"&id="; nocase; uricontent:"&b="; nocase; uricontent:"&tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; sid:2010743; rev:3;)

Added 2010-02-03 16:31:03 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"id="; nocase; uricontent:"b="; nocase; uricontent:"tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla; sid:2010743; rev:2;)

Added 2010-01-30 11:16:06 UTC

False positives on large atdmt/yieldmanager ads.

The GET is so big that the captured packet doesn't include the Host: header, but the destinations were 64.94.107.28 and 146.57.248.80, which seem legitimate.

GET /pixel;r=1510795722;fpan=u;fpa=;ns=1;url=http%3A%2F%2Fview.atdmt.com%2Fcnt%2Fiview%2F193799134%2Fdirect%3Bwi.728%3Bhi.90%2F01%3Fclick%3Dhttp%3A%2F%2Fad.yieldmanager.com%2Fclick2%2CHgQAAEHaCwB1XTsAAAAAANzyDwAAAAAAAgAAAAYAAAAAABAAAQAECH9CFgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoIwYAAAAAAAIAAQAAAAAAfHUTlCYBAAAAAAAAAAADkpYEOaU-AAAAAAIAAAAAAADgcaUAAAAAAAAAAAAAAAAAfAM5pT4AAAA%3D%2Chttp%253A%252F%252Fads.undertone.com%252Fck.php%253Foaparams%253D2__bannerid%253D107753__zoneid%253D6705__UTLCA%253D1__cb%253D4ab97c471b__bk%253Dkx9q6n__id%253Dm02u0azqvi808g0ws0swck4w__ptl%253D373__ptm%253D373__pto%253D%25253D%25253D__oadest%253D%2524%2Chttp%253A%252F%252Fwww.accuradio.com%252F%2Chttp%253A%252F%252Fvt.imiclk.com%252Fcgi%252Fvtc.cgi%253Fm%253D3%2526v%253Dc%2526c%253D3890549%2526z%253D1265204688%2526g%253D1045212%2526l%253D1458815%2526cv%253D113%2526cm%253DCPM%2526d%253D;ref=http%3A%2F%2Fad.yieldmanager.com%2Fiframe3%3FHgQAAEHaCwB1XTsAAAAAANzyDwAAAAAAAgAAAAYAAAAAABAAAQAECH9CFgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoIwYAAAAAAAIAAQAAAAAAFK5H4XoU8j8UrkfhehTyPwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD19DijUGKyB4WRL2y3caYXCPY1nleUHNBf.eOlAAAAAA%3D%3D%2Chttp%3A%2F%2Fads.undertone.com%2Fck.php%3Foaparams%3D2__bannerid%3D107753__zoneid%3D6705__UTLCA%3D1__cb%3D4ab97c471b__bk%3Dkx9q6n__id%3Dm02u0azqvi808g0ws0swck4w__ptl%3D373__pt

GET /ds/CJCNTCINGCIN/refurb_GoGreen_010510/refurb_GoGreen_728x90_010510.swf?ver=1&clickTag1=http://ad.yieldmanager.com/click2,HgQAAEHaCwB1XTsAAAAAANzyDwAAAAAAAgAAAAYAAAAAABAAAQAECH9CFgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoIwYAAAAAAAIAAQAAAAAAfHUTlCYBAAAAAAAAAAADkpYEOaU-AAAAAAIAAAAAAADgcaUAAAAAAAAAAAAAAAAAfAM5pT4AAAA=,http%3A%2F%2Fads.undertone.com%2Fck.php%3Foaparams%3D2__bannerid%3D107753__zoneid%3D6705__UTLCA%3D1__cb%3D4ab97c471b__bk%3Dkx9q6n__id%3Dm02u0azqvi808g0ws0swck4w__ptl%3D373__ptm%3D373__pto%3D%253D%253D__oadest%3D%24,http%3A%2F%2Fwww.accuradio.com%2F,http%3A%2F%2Fvt.imiclk.com%2Fcgi%2Fvtc.cgi%3Fm%3D3%26v%3Dc%26c%3D3890549%26z%3D1265204688%26g%3D1045212%26l%3D1458815%26cv%3D113%26cm%3DCPM%26d%3Dhttp://clk.atdmt.com/go/193799134/direct;wi.728;hi.90;ai.141883323;ct.1/01&clickTag=http://ad.yieldmanager.com/click2,HgQAAEHaCwB1XTsAAAAAANzyDwAAAAAAAgAAAAYAAAAAABAAAQAECH9CFgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABoIwYAAAAAAAIAAQAAAAAAfHUTlCYBAAAAAAAAAAADkpYEOaU-AAAAAAIAAAAAAADgcaUAAAAAAAAAAAAAAAAAfAM5pT4AAAA=,http%3A%2F%2Fads.undertone.com%2Fck.php%3Foaparams%3D2__bannerid%3D107753__zoneid%3D6705__UTLCA%3D1__cb%3D4ab97c471b__bk%3Dkx9q6n__id%3Dm02u0azqvi808g0ws0swck4w__ptl%3D373__ptm%3D373__pto%3D%253D%253D__oadest%3D%24,http%3A%2F%2Fwww.accuradio.com%2F,http%3A%2F%2Fvt.imiclk.com%2Fcgi%2Fvtc.cgi%3Fm%3D3%26v%3Dc%26c%3D3890549%26z%3D1265204688%26g%3D10

-- RichGraves - 03 Feb 2010


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"id="; nocase; uricontent:"b="; nocase; uricontent:"tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; reference:url,doc.emergingthreats.net/2010743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Oficla; sid:2010743; rev:2;)

Added 2010-01-30 11:16:06 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; content:!"|0d 0a|Accept-Encoding\: "; nocase; uricontent:".php?"; nocase; uricontent:"v="; nocase; uricontent:"id="; nocase; uricontent:"b="; nocase; uricontent:"tm="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f71d48a86776f8c0da4d7a46257ff97c; sid:2010743; rev:1;)

Added 2010-01-29 11:39:57 UTC


Topic revision: r2 - 2010-02-03 - RichGraves
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats