EmergingThreats> Main Web>2007771 (revision 3)EditAttach

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; sid:2007771; rev:6;)

Added 2008-07-08 15:24:40 UTC

sample (unconfirmed but we have seen these from several machines that turned out to be infected with something):

GET /40E800142020202020202020202020204C3931534B5032516C0000007366000000007600000642EB000530A0185080 HTTP/1.0....

-- RussellFulton - 18 Dec 2008


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; nocase; classtype:trojan-activity; sid:2007771; rev:6;)

Added 2008-07-08 15:24:40 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; classtype:trojan-activity; sid:2007771; rev:5;)

Added 2008-05-19 15:02:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"/40E800"; nocase; uricontent:"C00000"; classtype:trojan-activity; sid:2007771; rev:5;)

Added 2008-05-19 15:02:10 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"202020"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:4;)

Added 2008-02-08 14:12:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"202020"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:4;)

Added 2008-02-08 14:12:47 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:3;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:3;)

Added 2008-01-31 10:12:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:2;)

Added 2008-01-30 10:45:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; nocase; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:2;)

Added 2008-01-30 10:45:07 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN Pakes/Cutwall/Kobcka Update URL Detected"; flow:established,to_server; uricontent:"40e800"; uricontent:"2020202020202020202"; uricontent:"c00000"; nocase; classtype:trojan-activity; sid:2007771; rev:1;)

Added 2008-01-21 11:03:29 UTC

Seeing urls like so:

| 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | 8a2280ae500da644c8be23c624d74844 | GET hxxp://208.66.194.xx/40e8001448333053305035362020202020202020202020206c0000005866000000017600000002 | 601392bea264054d2a5b02ef79a8d4ab | GET hxxp://75.125.207.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | 43dfb2e9ef3b03b32a93ad473641b12f | GET hxxp://208.66.195.xx/40E8001448333053305035362020202020202020202020206C0000003C66000000017600000004 | 62fb75d97a68da3e569699fc89d14422 | GET hxxp://208.66.195.xx/40e8001448333053305035362020202020202020202020206c0000003c66000000007600000002 | e5ef616806ac5dee6c274c645ea1bf5d | GET hxxp://208.66.195.xx/40e800154d51303030302031202020202020202020202020036c0000003c66000000007600000002

-- MattJonkman - 21 Jan 2008


Edit | Attach | Print version | History: r5 < r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r3 - 2008-12-18 - RussellFulton
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats