[Snort-sigs] Andr.Trojan.Femas (ViperRAT)

Tyler Montier tmontier at ...435...
Mon Feb 20 10:33:13 EST 2017


Yaser,

Thanks for your submission. We will review the rule and get back to you
when its finished.

Sincerely,

Tyler Montier
Cisco Talos

On Sun, Feb 19, 2017 at 12:39 AM, Y M <snort at ...3751...> wrote:

> Hello,
>
>
> The below signature was derived from the articles from the reference. No
> pcaps available.
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
> Andr.Trojan.Femas outbound connection"; flow:to_client,established;
> content:"POST"; http_method; content:"did="; http_client_body;
> content:"&method="; fast_pattern:only; content:".php"; http_uri;
> content:"|3B| Android "; http_header; content:"Accept-Encoding|3A
> 20|gzip|0D 0A|"; http_header; content:!"Accept|3A 20|"; http_header;
> metadata:ruleset community, service http; reference:url,securelist.com/
> blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/;
> reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/;
> classtype:trojan-activity; sid:1000847; rev:1;)
>
>
> Thank you.
>
> YM
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>
> http://www.snort.org
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
> Visit the Snort.org to subscribe to the official Snort ruleset, make sure
> to stay up to date to catch the most <a href="
> https://snort.org/downloads/#rule-downloads">emerging threats</a>!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170220/25702eb4/attachment.html>


More information about the Snort-sigs mailing list