EmergingThreats
>
Main Web
>
2006374
(2007-07-06,
MattJonkman
)
E
dit
A
ttach
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Downloader.Win32.Agent.bwr"; flow:established,to_server; uricontent:"?m="; nocase; uricontent:"&a="; nocase; uricontent:"&hdd="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; sid:2006374; rev:1;)
Added 2007-07-06 14:11:25 UTC
URLs like this being seen in the sandnet:
http://66.246.252.213/s_55_3232235808?m=3&a=1&hdd=4457572d3454363830303335313520302020202003&os=940000000500000001000000280a00000200000053657276696365205061636b2032
Content is just hex. This sig should get it.
--
MattJonkman
- 06 Jul 2007
Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.
E
dit
|
A
ttach
|
P
rint version
|
H
istory
: r2
<
r1
|
B
acklinks
|
R
aw View
|
WYSIWYG
|
M
ore topic actions
Topic revision: r2 - 2007-07-06
-
MattJonkman
Main
Log In
Main Web
Create New Topic
Index
Search
Changes
Preferences
User Reference
ATasteOfTWiki
TextFormattingRules
Signature Reference
WebRss
Feed
EmergingFAQ
Copyright © Emerging Threats