#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2;)

Added 2012-08-30 16:53:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ|3a|124971919"; depth:12; content:"|00 00|"; distance:2; within:2; content:"|00 00 78 9C|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:1;)

Added 2012-01-12 22:16:42 UTC

This signature along with sid:2014110 present great false positives. I added that to the documentation in the other sid. If there is some way to maybe get more information about this binary and what it does other then threatexpert then it might be good. I really suggest that if its true outbound traffic and it always appears to be over web ports we should move it to "alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS"

-- BurnedSpy - 14 Jan 2012


Topic revision: r2 - 2012-01-14 - BurnedSpy
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats