[Snort-sigs] MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188)

rmkml rmkml at ...4129...
Tue Jan 19 16:05:59 EST 2016

Hi Elliot,

Thx for sharing information, Maybe add check for Trojan not use Referer and legitimate use Referer ?


On Tue, 19 Jan 2016, Elliot Anderson wrote:

> Hello all,
> Anybody struggled with the 1:33188 sig previously. The thing is that this signature:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound connection”; flow:to_server,established; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri;
> content:"Host|3A 20|www.ecb.europa.eu|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33188; rev:4; )
> Quite often triggers on legitimate traffic not associated with any CNC connections, just simple browsing and request for file from the European Central Bank (ECB) which contains the last 90 days of “Euro foreign exchange
> reference rates” and is updated daily. However Trojan Bedep uses it as part of DGA scheme.
> Are there any supplement signatures for this activity cause this one isn't working exactly the way we would like and expect it to work.
> Thanks for any comments,
> Elliot

More information about the Snort-sigs mailing list