[Snort-sigs] Osx.Trojan.MacDownloader

Tyler Montier tmontier at ...435...
Tue Feb 14 16:51:17 EST 2017


Yaser,

Thanks for your submission. We will review and test the rule and get back
to you when its finished.

Sincerely,

Tyler Montier
Cisco Talos

On Tue, Feb 14, 2017 at 3:33 PM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> The remote C&C server is reported being taken offline, but hopefully the
> rule would catch already infected hosts.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Osx.Trojan.MacDownloader outbound connection"; flow:to_server,established;
> urilen:14; content:"GET"; http_method; content:"/Servermac.php";
> fast_pattern:only; content:"User-Agent|3A 20|Bitdefender Adware Removal
> Tool/"; http_header; metadata:ruleset community,service http; reference:url,
> virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c
> 2bb2ae76f5027977e8635aa04bd064ffb7/analysis/; reference:url,
> virustotal.com/en/file/52efcfe30f96a85c9c068880c20663
> db64f0e08346e0f3b59c2e5bbcb41ba73c/analysis/; reference:url,
> www.joesecurity.org/reports/report-787d664e842961f2a335139407f91a70.html;
> classtype:trojan-activity; sid:1000840; rev:1;)
>
>
> Thank.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170214/c44dda83/attachment.html>


More information about the Snort-sigs mailing list