alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:10; metadata:created_at 2010_07_30, updated_at 2020_04_21;) Added 2020-04-21 19:23:58 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2018-09-13 19:39:25 UTC
Added 2018-09-13 17:53:36 UTC
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:10; metadata:created_at 2010_07_30, updated_at 2010_07_30;) Added 2017-08-07 21:01:01 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; reference:url,doc.emergingthreats.net/2007771; classtype:trojan-activity; sid:2007771; rev:9;) Added 2011-10-12 19:23:49 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; sid:2007771; rev:9;) Added 2011-09-14 22:37:18 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; content:"/40E800"; nocase; http_uri; content:"C00000"; nocase; http_uri; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:9;) Added 2011-02-04 17:26:52 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:8;) Added 2009-07-12 17:00:36 UTC sample: GET /40e800142020202057202d4443574d414c393635393438366c0000003c66000000007600000002 HTTP/1.0 from this reference: http://www.secureworks.com/research/threats/pushdo/ -- RussellFulton - 16 Jul 2009
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushdo Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:8;) Added 2009-07-12 17:00:36 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:7;) Added 2009-02-13 19:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Pakes; sid:2007771; rev:7;) Added 2009-02-13 19:30:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; sid:2007771; rev:6;) Added 2008-07-08 15:24:40 UTC sample (unconfirmed but we have seen these from several machines that turned out to be infected with something): GET /40E800142020202020202020202020204C3931534B5032516C0000007366000000007600000642EB000530A0185080 HTTP/1.0.... -- RussellFulton - 18 Dec 2008
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; sid:2007771; rev:6;) Added 2008-07-08 15:24:40 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; classtype:trojan-activity; sid:2007771; rev:5;) Added 2008-05-19 15:02:10 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"202020"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:4;) Added 2008-02-08 14:12:47 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:3;) Added 2008-01-31 10:12:23 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:2;) Added 2008-01-30 10:45:07 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:2;) Added 2008-01-30 10:45:07 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:1;) Added 2008-01-21 11:03:29 UTC Seeing urls like so: | 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | 8a2280ae500da644c8be23c624d74844 | GET hxxp://208.66.194.xx/40e8001448333053305035362020202020202020202020206c0000005866000000017600000002 | 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | 43dfb2e9ef3b03b32a93ad473641b12f | GET hxxp://208.66.195.xx/40E8001448333053305035362020202020202020202020206C0000003C66000000017600000004 | 62fb75d97a68da3e569699fc89d14422 | GET hxxp://208.66.195.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | e5ef616806ac5dee6c274c645ea1bf5d | GET hxxp://208.66.195.xx/40e800154d51303030302031202020202020202020202020036c0000003c66000000007600000002 -- MattJonkman - 21 Jan 2008
Topic revision: r5 - 2009-07-16 - RussellFulton
Main Web
Create New Topic
Index
Search
Changes
Preferences- User Reference
- ATasteOfTWiki
- TextFormattingRules
- Signature Reference
- WebRss Feed
- EmergingFAQ
 |
|
Copyright © Emerging Threats