[Snort-sigs] Zbot variant sigs

Joel Esler jesler at ...435...
Fri Oct 11 14:21:56 EDT 2013

On Oct 10, 2013, at 4:43 AM, Y M <snort at ...3751...> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Zbot variant malware potential download from phishing attack"; content:"/image/swift_copy.zip"; fast_pattern:only; http_uri; file_data; content:"swift_copy.exe"; metadata: policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/27e6f24e8ddfd5137a08c527c0e9b8b47d81303cbaa4e4fee4586699a31640f4/analysis/1381340916/; classtype:trojan-activity; sid:100060; rev:1;)

That shouldn’t work, you have an outbound rule, but you are looking for the file being downloaded in the return (“file_data; content:”swift_copy.exe”)

Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
AEGIS Intelligence Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131011/e7e9409b/attachment.html>

More information about the Snort-sigs mailing list