[Snort-sigs] Win32.OnlineGameHack sig

James Lay jlay at ...3266...
Wed Jun 19 11:24:09 EDT 2013


AHNLabs..good stuff:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Trojan.Win32.OnlineGameHack outbound connection"; 
flow:to_server,established; content:"/get.asp?mac="; http_uri; 
content:"&os="; within:36; http_uri; metadata:policy balanced-ips drop, 
policy security-ips drop, service http; 
reference:url,http://image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; 
classtype:trojan-activity; sid:10000080; rev:1;)

Has some similarities to 19573...wondering if 23312 will catch the exe 
with the JFIF headers.

James




More information about the Snort-sigs mailing list