#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4;)

Added 2012-08-30 16:53:41 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ|3a|"; depth:3; content:"|00 00|"; distance:11; within:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:3;)

Added 2012-05-21 19:00:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"|00 00|"; offset:14; depth:2; content:"|00 00 78 9C|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:2;)

Added 2012-01-10 14:06:49 UTC

Is there any more information on this binary other then threatexport report? Pushed it out to a few clients and this def shows false positives. In the threatexport report it does show that it try to make connections outbound via tcp port 443. If this is known then we could add "alert tcp $HOME_NET any -> $EXTERNAL_NET 443"

-- BurnedSpy - 13 Jan 2012


Topic revision: r2 - 2012-01-13 - BurnedSpy
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats