[Snort-sigs] Win.Lyposit.Trojan

James Lay jlay at ...3266...
Mon May 20 15:13:57 EDT 2013


Anyone think a pcre relating to "The string before the equality sign is 
randomly generated for length between 1 and 5" is needed?

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win.Lyposit.Trojan C2 Query"; content:"GET"; http_method; 
content:"|2f|ads1|2f|?"; http_uri; metadata:policy balanced-ips drop, 
policy security-ips drop, ruleset community service http; 
reference:url,https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app; 
classtype:trojan-activity; sid:10000065; rev:1;)

Danke.

James




More information about the Snort-sigs mailing list