[Snort-sigs] BLYPT sigs

James Lay jlay at ...3266...
Fri Sep 20 17:47:22 EDT 2013


Fun Friday

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
BLYPT installer startupkey outbound traffic"; flow:to_server, 
established; content:"index.aspx?info=startupkey_"; http_uri; 
fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
classtype:trojan-activity; sid:10000092; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
BLYPT installer reuse outbound traffic"; flow:to_server, established; 
content:"index.aspx?info=reuse"; http_uri; fast_pattern:only; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; 
reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
classtype:trojan-activity; sid:10000093; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
BLYPT installer configkey outbound traffic"; flow:to_server, 
established; content:"index.aspx?info=configkey"; http_uri; 
fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
classtype:trojan-activity; sid:10000094; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
BLYPT installer tserror outbound traffic"; flow:to_server, established; 
content:"index.aspx?info=tserror_"; http_uri; fast_pattern:only; 
metadata:policy balanced-ips drop, policy security-ips drop, service 
http; 
reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
classtype:trojan-activity; sid:10000095; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
BLYPT installer createproc outbound traffic"; flow:to_server, 
established; content:"index.aspx?info=createproc_"; http_uri; 
fast_pattern:only; metadata:policy balanced-ips drop, policy 
security-ips drop, service http; 
reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
classtype:trojan-activity; sid:10000096; rev:1;)


James




More information about the Snort-sigs mailing list