EmergingThreats> Main Web>2007771 (revision 2)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:1;)

Added 2008-01-21 11:03:29 UTC

Seeing urls like so:

| 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | 8a2280ae500da644c8be23c624d74844 | GET hxxp://208.66.194.xx/40e8001448333053305035362020202020202020202020206c0000005866000000017600000002 | 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | 43dfb2e9ef3b03b32a93ad473641b12f | GET hxxp://208.66.195.xx/40E8001448333053305035362020202020202020202020206C0000003C66000000017600000004 | 62fb75d97a68da3e569699fc89d14422 | GET hxxp://208.66.195.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | e5ef616806ac5dee6c274c645ea1bf5d | GET hxxp://208.66.195.xx/40e800154d51303030302031202020202020202020202020036c0000003c66000000007600000002

-- MattJonkman - 21 Jan 2008


Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 2008-01-21 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats