[Snort-sigs] Banload sigs

Y M snort at ...3751...
Thu Sep 26 09:51:38 EDT 2013


The reference is in Spanish, so mind not my bad translation of the alerts' msgs. Quick and dirty signature:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload outbound connection attempt"; flow:to_server,established; content:"/v22/mutabixa/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:100049; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload information upload attempt"; flow:to_server,established; content:"/v22/mutabixa/1nf3ct/"; http_uri; content:"chave="; distance:0; http_uri; content:"&url="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:100050; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload download attempt"; flow:to_server,established; content:".jpg"; http_uri; content:"User-Agent|3A| runddll32.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:100051; rev:1;)
Any help/corrections is appreciated.Thanks.YM 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130926/2b99d3ae/attachment.html>


More information about the Snort-sigs mailing list