#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2; metadata:affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, deployment Perimeter, tag PCRAT, tag Gh0st, tag RAT, signature_severity Critical, created_at 2012_01_10, malware_family Gh0st, malware_family PCRAT, updated_at 2016_07_01;)

Added 2017-08-07 21:07:26 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2;)

Added 2012-08-30 16:53:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:1;)

Added 2012-01-12 22:16:42 UTC

This signature along with sid:2014110 present great false positives. I added that to the documentation in the other sid. If there is some way to maybe get more information about this binary and what it does other then threatexpert then it might be good. I really suggest that if its true outbound traffic and it always appears to be over web ports we should move it to "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS"

-- BurnedSpy - 14 Jan 2012


Topic revision: r2 - 2012-01-14 - BurnedSpy
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats