[Snort-sigs] New rule offered for detecting Gameover a new ZeuS variant over smtp

rmkml rmkml at ...174...
Wed Feb 12 15:59:53 EST 2014


A new ZeuS variant, known as Gameover, send messages with a .zip contain .enc file.

Please check if it's interesting :

alert tcp any any -> any 25 (msg:"SMTP Zip file contains Encrypted (.enc) possible GameOver ZeuS variant attempt";
flow:to_server,established; content:".zip"; pcre:"/^[\'\"]*\s*\r?\n/R";
file_data; content:"PK|03 04|"; within:4; distance:0; content:".enc"; within:50; distance:26; pcre:"/^PK\x03\x04.{26}[a-zA-Z0-9\-\_]+\.enc/s";
classtype:attempted-user; sid:1; rev:1;)

Please check all variables before use.

All comments/feebacks are welcome.


More information about the Snort-sigs mailing list