#alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:3; metadata:created_at 2012_03_20, updated_at 2012_03_20;)

Added 2017-08-07 21:07:48 UTC


##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:2;)

Added 2012-03-21 18:10:07 UTC

False positives produced by digitally correctly signed and timestamped FaceBookUpdate?.exe utility

-- UveLokk - 22 Mar 2012


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent|3A 20|Facebook Update/"; http_header; content:"winhttp|3b|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:2;)

Added 2012-03-20 17:59:15 UTC


Topic revision: r2 - 2012-03-22 - UveLokk
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats