alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; content:!"|7c|"; distance:0; content:!"_domainkey"; classtype:trojan-activity; sid:2013935; rev:6;)

Added 2016-05-09 17:18:53 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; content:!"|7c|"; distance:0; classtype:trojan-activity; sid:2013935; rev:5;)

Added 2015-09-01 19:02:24 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; content:!"spf2.0/"; distance:0; classtype:trojan-activity; sid:2013935; rev:4;)

Added 2014-11-13 22:18:28 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"v="; distance:0; classtype:trojan-activity; sid:2013935; rev:3;)

Added 2014-10-16 13:51:50 UTC


alert udp any 53 -> $HOME_NET any (msg:"ET TROJAN Win32.Zbot.chas/Unruy.H Covert DNS CnC? Channel TXT Response"; content:"|C0 0C 00 10 00 01|"; content:"|00 dd dc|"; distance:4; within:3; content:!"spf"; distance:0; classtype:trojan-activity; sid:2013935; rev:2;)

Added 2011-11-28 17:47:28 UTC

FP on domainkey query responses. Like "dig ecos4._domainkey.mail.pizzaexpress.com TXT"

-- StephaneChazelas - 2013-11-11


Topic revision: r2 - 2013-11-11 - StephaneChazelas
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats