[Snort-sigs] Akak trojan signatures

Joe Stewart jstewart at ...5...
Tue Aug 31 07:22:02 EDT 2004

New trojan being spread via IE drag-n-drop. Not real prevalent right 
now, but in case you want to be on the lookout for it:

alert tcp any any -> any 4321 (msg:"Akak trojan protocol hello"; 
content:"|89 13 00 00|"; dsize:4; flow:established,to_server; 
reference:url,www.lurhq.com/akak.html; classtype:trojan-activity; 
sid:1000120; rev:1;) 

alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"Akak trojan protocol 
response from infected host"; content:"|6f 17 00 00|"; dsize:4; 
flow:established,to_client; reference:url,www.lurhq.com/akak.html; 
classtype:trojan-activity; sid:1000121; rev:1;)


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the Snort-sigs mailing list