[Snort-sigs] Zbot/Simda sig

Y M snort at ...3751...
Thu Oct 10 15:08:50 EDT 2013

adding pcaps.

From: snort at ...3751...
To: snort-sigs at lists.sourceforge.net
Date: Thu, 10 Oct 2013 15:25:01 +0000
Subject: [Snort-sigs] Zbot/Simda sig

I was looking at a specific capture triggered by several alerts of sid:26369. Along the packets there were three attempts made to download an executable file "calc.exe". The download was prevented, however, I downloaded the file and came up with the below rule. VT results are mostly mixed between Zbot, Simda, and Kazy.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot/Simda outbound connection attempt"; flow:to_server,established; content:"/?"; http_uri; pcre:"/\/?[0-9A-Za-z]=%/"; fast_pattern; http_uri; content:"|25|96|25|CB|25|D5|25|A8|25|A7|25|"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/80ea92e508eefa5722870c6ca48a6a1086180c754dd83cf4ebd28bf3918c2392/analysis/;sid:100065; rev:1;)

October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131010/12b3d9c3/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: zbot_simda_http.pcap
Type: application/octet-stream
Size: 6737 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131010/12b3d9c3/attachment.obj>

More information about the Snort-sigs mailing list