|
Written by Matt Jonkman
|
|
Wednesday, 09 January 2008 |
|
Interesting trojan, MBR based. (Thought that was all over in the 90's eh?) Analysis here by Gmer: www2.gmer.net/mbr/ Sig is good till it mutates, but we'll keep an eye on it. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TROJAN MBR Trojan (Sinowal/Mebroot/) Phoning Home"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ld/mat"; nocase; uricontent:".php"; nocase; content:"|0d 0a|id="; distance:30; content:"&hit="; distance:5; classtype:trojan-activity; sid:2007747; rev:1;)
|
|
Last Updated ( Thursday, 10 January 2008 )
|
