[Snort-sigs] BLYPT sigs

Joel Esler jesler at ...435...
Sat Sep 21 21:57:47 EDT 2013


Thanks James. 


--
Joel Esler
Sent from my iPad

> On Sep 20, 2013, at 5:47 PM, James Lay <jlay at ...3266...> wrote:
> 
> Fun Friday
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> BLYPT installer startupkey outbound traffic"; flow:to_server, 
> established; content:"index.aspx?info=startupkey_"; http_uri; 
> fast_pattern:only; metadata:policy balanced-ips drop, policy 
> security-ips drop, service http; 
> reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
> classtype:trojan-activity; sid:10000092; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> BLYPT installer reuse outbound traffic"; flow:to_server, established; 
> content:"index.aspx?info=reuse"; http_uri; fast_pattern:only; 
> metadata:policy balanced-ips drop, policy security-ips drop, service 
> http; 
> reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
> classtype:trojan-activity; sid:10000093; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> BLYPT installer configkey outbound traffic"; flow:to_server, 
> established; content:"index.aspx?info=configkey"; http_uri; 
> fast_pattern:only; metadata:policy balanced-ips drop, policy 
> security-ips drop, service http; 
> reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
> classtype:trojan-activity; sid:10000094; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> BLYPT installer tserror outbound traffic"; flow:to_server, established; 
> content:"index.aspx?info=tserror_"; http_uri; fast_pattern:only; 
> metadata:policy balanced-ips drop, policy security-ips drop, service 
> http; 
> reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
> classtype:trojan-activity; sid:10000095; rev:1;)
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> BLYPT installer createproc outbound traffic"; flow:to_server, 
> established; content:"index.aspx?info=createproc_"; http_uri; 
> fast_pattern:only; metadata:policy balanced-ips drop, policy 
> security-ips drop, service http; 
> reference:url,http://blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; 
> classtype:trojan-activity; sid:10000096; rev:1;)
> 
> 
> James
> 
> ------------------------------------------------------------------------------
> LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
> 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
> 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
> Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
> http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list