alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cridex.B/Feodo Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/in"; offset:11; depth:3; http_uri; content:".ru"; http_header; pcre:"/\/\w{3}\/\w\d_\w\w\w\/in\/?$/Ui"; pcre:"/Host\x3a\s[a-z]{15,19}\.ru(\x3a8080)?/Hm"; reference:md5,7ed139b53e24e4385c4c59cd2aa0e5f7; reference:url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; reference:url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC; classtype:trojan-activity; sid:2014405; rev:14;)

Added 2012-03-21 18:10:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cridex.B/Feodo Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/in/"; offset:11; depth:15; fast_pattern; http_uri; content:".ru"; http_header; pcre:"/\/\w{3}\/\w\d_\w\w\w\/in\/$/Ui"; pcre:"/Host\x3a\s[a-z]{15,19}\.ru/i"; reference:md5,7ed139b53e24e4385c4c59cd2aa0e5f7; reference:url,labs.m86security.com/2012/03/the-cridex-trojan-targets-137-financial-organizations-in-one-go/; reference:url,blog.fireeye.com/research/2010/10/feodosoff-a-new-botnet-on-the-rise.html; reference:url,about-threats.trendmicro.com/Malware.aspx?language=us&name=WORM_CRIDEX.IC; classtype:trojan-activity; sid:2014405; rev:11;)

Added 2012-03-20 17:59:15 UTC


Topic revision: r1 - 2012-03-21 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats