[Snort-sigs] Win.Trojan.Kovtar

Y M snort at ...3751...
Fri Feb 10 04:07:38 EST 2017


Below two signatures detect the initial JS downloader and post-infection C&C.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant JS downloader outbound connection"; flow:to_server,established; urilen:<100; content:"GET"; http_method; content:"/counter/?"; fast_pattern:only; http_uri; content:"UA-CPU|3A 20|"; http_header; content:"MSIE 7.0|3B|"; http_header; content:!"Referer"; http_header; pcre:"/\/counter\/\x3f\w+/U"; metadata:ruleset community, service http; classtype:trojan-activity; sid:1000821; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; dsize:55<>205; content:!" HTTP/"; content:"|00 00 00|"; offset:1; metadata:ruleset community; classtype:trojan-activity; sid:1000822; rev:1;)

Thank you.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170210/a2c1673f/attachment.html>

More information about the Snort-sigs mailing list