[Snort-sigs] Zbot/Simda sig

Y M snort at ...3751...
Thu Oct 10 11:25:01 EDT 2013

I was looking at a specific capture triggered by several alerts of sid:26369. Along the packets there were three attempts made to download an executable file "calc.exe". The download was prevented, however, I downloaded the file and came up with the below rule. VT results are mostly mixed between Zbot, Simda, and Kazy.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot/Simda outbound connection attempt"; flow:to_server,established; content:"/?"; http_uri; pcre:"/\/?[0-9A-Za-z]=%/"; fast_pattern; http_uri; content:"|25|96|25|CB|25|D5|25|A8|25|A7|25|"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/80ea92e508eefa5722870c6ca48a6a1086180c754dd83cf4ebd28bf3918c2392/analysis/;sid:100065; rev:1;)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131010/5ab7fdb4/attachment.html>

More information about the Snort-sigs mailing list