alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer"; http_header; content:".php?"; http_uri; content:"=v"; http_uri; pcre:"/\.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$/U"; content:"data="; http_client_body; depth:5; content:"wget"; nocase; http_header; fast_pattern:only; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:18;)

Added 2014-09-15 18:30:46 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:!"Referer"; http_header; content:".php?"; http_uri; content:"=v"; http_uri; pcre:"/\.php\?[^=]+=v\d{2}[0-9A-Za-z\/\+]+==$/U"; content:"data="; http_client_body; depth:5; content:"wget"; nocase; http_header; fast_pattern:only; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:16;)

Added 2014-02-25 19:42:02 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:"=v26M"; http_uri; fast_pattern:only; content:"=="; http_uri; content:!"Referer"; http_header; content:"data="; depth:5; http_client_body; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{2}==$/P"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:15;)

Added 2014-02-18 10:07:34 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:"=v26M"; http_uri; fast_pattern:only; content:"=="; http_uri; content:!"Referer"; http_header; content:"data="; depth:5; http_client_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*[A-Za-z0-9+/]{2}==$/R"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:15;)

Added 2014-02-17 18:54:56 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:"=v22M"; http_uri; fast_pattern:only; content:"=="; http_uri; content:!"Referer"; http_header; content:"data="; depth:5; http_client_body; pcre:"/^data=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/P"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:13;)

Added 2014-02-15 00:17:31 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:"=v22M"; http_uri; fast_pattern:only; content:"=="; http_uri; content:!"Referer"; http_header; content:"data="; depth:5; http_client_body; pcre:"/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/R"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:10;)

Added 2014-02-14 18:07:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"?ini=v22"; http_uri; content:"=="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; classtype:trojan-activity; sid:2013186; rev:9;)

Added 2011-10-12 19:36:18 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"?ini=v22"; http_uri; content:"=="; http_uri; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:url,www.threatexpert.com/report.aspx?md5=01ca25570659c2e1b8b887a3229ef421; sid:2013186; rev:9;)

Added 2011-08-01 23:52:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"?ini=v22"; http_uri; content:"=="; http_uri; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; reference:md5,01ca25570659c2e1b8b887a3229ef421; sid:2013186; rev:9;)

Added 2011-08-01 23:05:48 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:".php?ini=v22"; http_uri; content:"=="; http_uri; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; sid:2013186; rev:7;)

Added 2011-07-29 20:54:27 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.Renos/Artro Trojan Checkin"; flow:established,to_server; content:"POST"; http_method; content:".php?ini=v22"; http_uri; nocase; content:"data="; http_client_body; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=TROJANDOWNLOADER%3aWIN32/RENOS.MJ; reference:url,www.securelist.com/en/analysis/204792172/The_Advertising_Botnet; sid:2013186; rev:5;)

Added 2011-07-05 19:18:37 UTC


Topic revision: r1 - 2014-09-15 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats