[Snort-sigs] Re: Possible trojan rule

Matthew Jonkman matt at ...2436...
Wed Jun 2 21:04:02 EDT 2004

Fixed version of that rule (typo), and it wouldn't match with 
uricontent, so using content and GET.

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Unknown Spyware 
siae323.exe GET"; content:"GET /siae3123,exe"; nocase; classtype: 
policy-violation; sid:2000306; rev:3;)

Also on the snort.infotex.com rules.

Matthew Jonkman wrote:

> We're finding a number of client machines infected with something. Not 
> sure what it is. The symptom is it downloads
> on a regular basis. We've grabbed the file and can't quite identify it.
> Put a signature in the bleeding ruleset to hopefully find out how far it 
> is in our networks. If anyone has more info on it I'd appreciate knowing.
> There are a few google posts, all saying how no one knows quite what it 
> is. All in the last couple weeks. Most think it's just spyware, likely 
> using an IE exploit to get in.
> I have a suspicion it may be related to 
> http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=46921&sind=0 
> Virtumonde.C
> Mostly because the name of the server these updates are on calls istels 
> updates.virtumonde.com
> The sig I'm using to track it down is:
> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BLEEDING-EDGE Unknown 
> Spyware siae323.exe GET"; uricontent:"GET /siae3123,exe"; nocase; flow
> :to_server,established; classtype: policy-violation; sid:2000306; rev:1;)
> Available in the bleeding set, http://snort.infotex.com

Matthew Jonkman, CISSP
Senior Security Engineer
765-429-0398 Direct Anytime
765-448-6847 Office
866-679-5177 24x7 NOC

NOTICE: The information contained in this email is confidential
and intended solely for the intended recipient. Any use,
distribution, transmittal or retransmittal of information
contained in this email by persons who are not intended
recipients may be a violation of law and is strictly prohibited.
If you are not the intended recipient, please contact the sender
and delete all copies.

More information about the Snort-sigs mailing list