[Snort-sigs] Banload sigs

Joel Esler jesler at ...435...
Sun Sep 29 09:09:55 EDT 2013


Thanks Yaser

Sent from my iPhone

> On Sep 26, 2013, at 9:51 AM, Y M <snort at ...3751...> wrote:
> 
> The reference is in Spanish, so mind not my bad translation of the alerts' msgs. Quick and dirty signature:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload outbound connection attempt"; flow:to_server,established; content:"/v22/mutabixa/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:100049; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload information upload attempt"; flow:to_server,established; content:"/v22/mutabixa/1nf3ct/"; http_uri; content:"chave="; distance:0; http_uri; content:"&url="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:100050; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload download attempt"; flow:to_server,established; content:".jpg"; http_uri; content:"User-Agent|3A| runddll32.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:100051; rev:1;)
> 
> Any help/corrections is appreciated.Thanks.
> YM
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130929/8ae1c017/attachment.html>


More information about the Snort-sigs mailing list