#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:4;)

Added 2012-04-18 11:50:45 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:4;)

Added 2012-04-16 18:46:10 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Initial Landing WAIT PLEASE Loading"; flow:established,from_server; content:">WAIT PLEASE</"; content:">Loading...</"; within:50; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:3;)

Added 2012-03-19 23:39:14 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Initial Landing WAIT PLEASE Loading"; flow:established,from_server; content:">WAIT PLEASE</"; content:">Loading...</"; within:50; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:3;)

Added 2012-03-16 17:41:02 UTC


#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Initial Landing WAIT PLEASE Loading"; flow:established,from_server; content:"|0d 0a||0a|

WAIT PLEASE

"; content:"|0a 20|

Loading...

|0a|<script"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:2;)

Added 2012-03-14 18:18:31 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Initial Landing WAIT PLEASE Loading"; flow:established,from_server; content:"|0d 0a||0a|

WAIT PLEASE

"; content:"|0a 20|

Loading...

|0a|<script"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:2;)

Added 2011-11-30 19:00:09 UTC


alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Initial Landing WAIT PLEASE Loading"; flow:established,from_server; content:"|0d 0a||0a|

WAIT PLEASE

|20 0a 20|

Loading...

|0a|<script"; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:1;)

Added 2011-11-28 17:47:29 UTC


Topic revision: r1 - 2012-04-18 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats