alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_21;)
Added 2020-04-21 19:23:58 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2018-09-13 19:39:25 UTC
Added 2018-09-13 17:53:36 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;)
Added 2017-08-07 21:01:01 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:9;)
Added 2011-10-12 19:23:49 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; sid:2007771; rev:9;)
Added 2011-09-14 22:37:18 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:9;)
Added 2011-02-04 17:26:52 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:8;)
Added 2009-07-12 17:00:36 UTC
sample:
GET /40e800142020202057202d4443574d414c393635393438366c0000003c66000000007600000002 HTTP/1.0
from this reference:
http://www.secureworks.com/research/threats/pushdo/
--
RussellFulton - 16 Jul 2009
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:8;)
Added 2009-07-12 17:00:36 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:7;)
Added 2009-02-13 19:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:7;)
Added 2009-02-13 19:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; sid:2007771; rev:6;)
Added 2008-07-08 15:24:40 UTC
sample (unconfirmed but we have seen these from several machines that turned out to be infected with something):
GET /40E800142020202020202020202020204C3931534B5032516C0000007366000000007600000642EB000530A0185080 HTTP/1.0....
--
RussellFulton - 18 Dec 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; sid:2007771; rev:6;)
Added 2008-07-08 15:24:40 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; classtype:trojan-activity; sid:2007771; rev:5;)
Added 2008-05-19 15:02:10 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"202020"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:4;)
Added 2008-02-08 14:12:47 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:3;)
Added 2008-01-31 10:12:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:2;)
Added 2008-01-30 10:45:07 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:2;)
Added 2008-01-30 10:45:07 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:1;)
Added 2008-01-21 11:03:29 UTC
Seeing urls like so:
| 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002
| 8a2280ae500da644c8be23c624d74844 | GET hxxp://208.66.194.xx/40e8001448333053305035362020202020202020202020206c0000005866000000017600000002
| 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002
| 43dfb2e9ef3b03b32a93ad473641b12f | GET hxxp://208.66.195.xx/40E8001448333053305035362020202020202020202020206C0000003C66000000017600000004
| 62fb75d97a68da3e569699fc89d14422 | GET hxxp://208.66.195.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002
| e5ef616806ac5dee6c274c645ea1bf5d | GET hxxp://208.66.195.xx/40e800154d51303030302031202020202020202020202020036c0000003c66000000007600000002
--
MattJonkman - 21 Jan 2008