alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET"; http_method; urilen:5; content:"/1/?"; http_uri; fast_pattern; depth:4; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; http_header; pcre:"/^\/1\/\?\w$/Ui"; pcre:"/^User-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a .+?(\x3a(443|8080|900[0-9]))?\x0d\x0a$/Hi"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:2; metadata:created_at 2012_12_03, updated_at 2012_12_03;)

Added 2017-08-07 21:09:37 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; fast_pattern; content:" HTTP"; distance:1; within:5; content:"Mozilla/4.0 (compatible|3b| MSIE 7.0|3b| Windows NT 5.1|3b| SV1)|0d 0a|"; pcre:"/GET \/1\/\?\w HTTP\/1\.1\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a .+?(\x3a(443|8080|900[0-9]))?\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:2;)

Added 2012-12-03 21:50:52 UTC


Topic revision: r1 - 2017-08-08 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats