#
# $Id: emerging-all.rules $
# Emerging Threats rules. 
#
# SID's are 2000000+ to avoid conflicts
#
# More information available at www.emergingthreats.net
#
# Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list
#
#This is the MASTER list, this includes ALL rules
#
#*************************************************************
#
#  Copyright (c) 2003-2010, Emerging Threats
#  All rights reserved.
#  
#  Redistribution and use in source and binary forms, with or without modification, are permitted provided that the 
#  following conditions are met:
#  
#  * Redistributions of source code must retain the above copyright notice, this list of conditions and the following 
#    disclaimer.
#  * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the 
#    following disclaimer in the documentation and/or other materials provided with the distribution.
#  * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived 
#    from this software without specific prior written permission.
#  
#  THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, 
#  INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 
#  DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 
#  SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
#  SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 
#  WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE 
#  USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 
#
#
#by kevin ross
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt"; flow:to_client,established; content:"PDF-"; nocase; depth:300; content:"this.media.newPlayer|28|null"; nocase; distance:0; content:"util.printd"; nocase; within:150; classtype:attempted-user; reference:url,www.metasploit.com/redmine/projects/framework/repository/revisions/7881/entry/modules/exploits/windows/fileformat/adobe_media_newplayer.rb; reference:url,vrt-sourcefire.blogspot.com/2009/12/adobe-reader-medianewplayer-analysis.html; reference:url,www.securityfocus.com/bid/37331; reference:cve,2009-4324; reference:url,doc.emergingthreats.net/2010495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010495; rev:9;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Adobe 0day Shovelware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\:"; nocase; uricontent:"/ppp/listdir.php?dir="; pcre:"/\/[a-z]{2}\/[a-z]{4}01\/ppp\/listdir\.php\?dir=/U"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7747; reference:url,doc.emergingthreats.net/2010496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010496; rev:2;)

#kevin ross
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt"; flow:established,to_client; content:"|0d 0a|%FDF-"; depth:600; content:"/F(JavaScript\:"; nocase; distance:0; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37763; reference:cve,2009-3956; reference:url,doc.emergingthreats.net/2010664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; reference:url,www.stratsec.net/files/SS-2010-001_Stratsec_Acrobat_Script_Injection_Security_Advisory_v1.0.pdf; sid:2010664; rev:3;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NOS Microsystems Adobe Reader/Acrobat getPlus Helper ActiveX Control Multiple Stack Buffer Overflows CLSID Access Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"E2883E8F-472F-4fb0-9522-AC9BF37916A7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*E2883E8F-472F-4fb0-9522-AC9BF37916A7/si"; classtype:attempted-user; reference:url,www.securityfocus.com/bid/37759; reference:url,www.kb.cert.org/vuls/id/773545; reference:url,www.adobe.com/support/security/bulletins/apsb10-02.html; reference:cve,2009-3958; reference:url,doc.emergingthreats.net/2010665; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010665; rev:2;)

#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe Macromedia Flash Player In Windows XP Remote Arbitrary Code Execution CLSID Access Attempt"; flow:established,to_client; content:"clsid"; nocase; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D27CDB6E-AE6D-11cf-96B8-444553540000/si"; classtype:attempted-user; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19710; reference:url,www.kb.cert.org/vuls/id/204889; reference:url,www.microsoft.com/technet/security/advisory/979267.mspx; reference:url,doc.emergingthreats.net/2010666; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Adobe; sid:2010666; rev:2;)

#by jaime blasco
#seeing if these last, ua may change often
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAV AntivirusDoktor2009 User-Agent (768)"; flow:established,to_server; content:"|0d 0a|User-Agent\: 768"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010682; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_AntivirusDoktor2009; sid:2010682; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAV AntivirusDoktor2009 User-Agent (657)"; flow:established,to_server; content:"|0d 0a|User-Agent\: 657"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010683; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_AntivirusDoktor2009; sid:2010683; rev:2;)


#by David Wharton
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (ads-t.ru)"; flow:established,from_server; content:"<script src=http\://www.ads-t.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010032; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (bannert.ru)"; flow:established,from_server; content:"<script src=http\://www.bannert.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010033; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internal User may have Visited an ASProx Infected Site (bannerdriven.ru)"; flow:established,from_server; content:"<script src=http\://www.bannerdriven.ru/ads.js>"; nocase; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/10/cyber-security-awareness-month-day-one.html; reference:url,doc.emergingthreats.net/2010034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Asprox; sid:2010034; rev:3;)

#by Daniel Sheperd
alert udp any any -> any 53 (msg:"ET CURRENT_EVENTS DNS BIND 9 Dynamic Update DoS attempt"; byte_test:1,&,40,2; byte_test:1,>,0,5; byte_test:1,>,0,1; content:"|00 00 06|"; offset:8; content:"|c0 0c 00 ff|"; distance:2; reference:cve,2009-0696; classtype:attempted-dos; reference:url,doc.emergingthreats.net/2009701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Bind; sid:2009701; rev:2;)

#by Kevin Ross, temporary, based on a specific exploit if generated in hping
alert tcp $EXTERNAL_NET any -> $HOME_NET [22,23,80,443,10000] (msg:"ET CURRENT_EVENTS Possible Cisco PIX/ASA Denial Of Service Attempt (Hping Created Packets)"; flow:to_server; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; depth:40; content:"|58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58|"; distance:300; isdataat:300,relative; threshold: type threshold, track by_src, count 60, seconds 80; classtype:attempted-dos; reference:url,www.securityfocus.com/bid/34429/info; reference:url,www.securityfocus.com/bid/34429/exploit; reference:url,www.cisco.com/en/US/products/products_applied_mitigation_bulletin09186a0080a99518.html; reference:cve,2009-1157; reference:url,doc.emergingthreats.net/2010624; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Cisco; sid:2010624; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET CURRENT Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; flow:established,to_server; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; classtype:attempted-dos; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010817; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Cisco; sid:2010817; rev:2;)

#Temporarily disabled until we get a fix for an FP problem
#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET CURRENT Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; classtype:attempted-dos; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Cisco; sid:2010818; rev:2;)

#matt jonkman, idea from Jason Weir
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"DHL_"; within:50; pcre:"/filename\s*=\s*\"DHL_(Label_|document_|package_label_|print_label_).{5,7}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010148; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010148; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Facebook Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"Facebook_Password"; within:50; pcre:"/filename\s*=\s*"Facebook_Password_.....\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010166; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010166; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS WU Malicious Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"WU_Details_"; within:50; pcre:"/filename\s*=\s*"WU_Details_.....\.zip/m"; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; reference:url,doc.emergingthreats.net/2010376; sid:2010376; rev:2;)

#by jason weir and wolvee
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Facebook Spam Inbound (1)"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"Facebook_Password"; within:50; pcre:"/filename\s*=\s*Facebook_Password_[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010497; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS Facebook Spam Inbound (2)"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"Facebook"; within:50; pcre:"/filename\s*=\s*Facebook_(Password|Support)_[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010498; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010498; rev:2;)

#Matt Jonkman
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS MySpace Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"MySpace"; within:50; pcre:"/filename\s*=\s*MySpace_document_[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010629; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010629; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"Content-Disposition|3A| attachment\;"; nocase; content:"filename"; within:100; content:"UPS"; within:50; pcre:"/filename\s*=\s*UPS_invoice_NR[0-9]{5}\.zip/m"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010644; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DHL; sid:2010644; rev:2;)


#by many very smart people
# This may be a high load sig. Take time and seriously consider
# that your dns_servers var is set as narrowly as possible
#disabling, remove in the not too distant future
#alert udp any 53 -> $DNS_SERVERS any (msg:"ET CURRENT_EVENTS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt"; byte_test:2,>,0,6; byte_test:2,>,0,10; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008446; rev:9;)

#this will catch large numbers of nxdomain replies, a sign that someone may be trying to poison you
#alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive NXDOMAIN responses - Possible DNS Poisoning Attempt Backscatter"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; threshold: type both, track by_src, count 100, seconds 10; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008470; rev:3;)
#by Greg Martin at Econet
alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible NS RR Cache Poisoning Attempt"; content: "|85 00 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src,count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008447; rev:6;)
alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS DNS Query Responses with 3 RR's set (50+ in 2 seconds) - possible A RR Cache Poisoning Attempt"; content: "|81 80 00 01 00 01 00 01|"; offset: 2; depth:8; threshold: type both, track by_src, count 50, seconds 2; classtype:bad-unknown; reference:url,infosec20.blogspot.com/2008/07/kaminsky-dns-cache-poisoning-poc.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_DNS_Poisoning; sid:2008475; rev:3;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential Fake Anti-Virus Download Inst_58s6.exe"; flow:established,to_server; uricontent:"/Inst_58s6.exe"; nocase; classtype:trojan-activity; reference:url,cyveillanceblog.com/general-cyberintel/malware-google-search-results; reference:url,doc.emergingthreats.net/2010339; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FakeAV; sid:2010339; rev:2;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential FakeAV download ASetup_2009.exe variant"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"Setup_"; nocase; uricontent:".exe"; nocase; content:!"|0d 0a|Referer\: "; nocase; pcre:"/\/[A-Z]Setup_[0-9]{4}\.exe$/Ui"; classtype:trojan-activity; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fakeav_Setup_dl; reference:url,doc.emergingthreats.net/2010901; sid:2010901; rev:3;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential FakeAV download Setup_103s1 or Setup_207 variant"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/Setup_"; nocase; uricontent:".exe"; nocase; content:!"|0d 0a|Referer\: "; nocase; pcre:"/\/Setup_[0-9]{3}([A-Z][0-9])?\.exe$/Ui"; classtype:trojan-activity; reference:url,www.prevx.com/avgraph/1/AVG.html; reference:url,doc.emergingthreats.net/2010867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Fakeav_Setup_dl; sid:2010867; rev:4;)

#by mike cox
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RFI Scanner Success (Fx29ID)"; flow:established,from_server; content:"FeeLCoMzFeeLCoMz"; classtype:successful-user; reference:url,doc.emergingthreats.net/2010463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_FeeLCoMz; sid:2010463; rev:3;)

#by eoin miller and peers
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Hostile domain, NeoSploit FakeAV google.analytics.com.*.info"; flow:established,to_server; content:"GET "; nocase; depth:4; content:"|0d 0a|Host\: google.analytics.com."; nocase; content:".info|0d 0a|"; within:15; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage\;topic=3781.0; reference:url,doc.emergingthreats.net/2010866; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Hostile_Google_Fake_Domain; sid:2010866; rev:2;)

#by mike cox
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS iPhone Bot iKee.B Contacting C&C"; flow:to_server,established; uricontent:"/xml/p.php?id="; pcre:"/\/xml\/p\.php\?id=\d{2,}/U"; classtype:trojan-activity; reference:url,mtc.sri.com/iPhone/; reference:url,doc.emergingthreats.net/2010551; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Ikee; sid:2010551; rev:2;)

#by mareadmin
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible JAVA pack200-zip-exploit attempt"; flow:to_client; content:"e.pack.gz"; content:"|0d 0a|Content-Encoding\: pack200-gzip"; within:55;classtype:attempted-user;reference:url,isc.sans.org/diary.html?storyid=6805&rss; reference:url,doc.emergingthreats.net/2009665; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Java; sid:2009665; rev:2;)

#by kevin ross
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt"; flow:established,to_client; content:"#|3A|../../"; content:"C|3A 5C|"; nocase; within:50; pcre:"/\x2E\x2E\x2F\x2E\x2E\x2F.+C\x3A\x5C[a-z]/si"; reference:url,www.securityfocus.com/bid/37884; reference:cve,2010-0027; reference:url,doc.emergingthreats.net/2010798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; classtype:attempted-user; sid:2010798; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer CVE-2010-0249 srcElement Remote Code Execution Attempt"; flow:established,to_client; content:"document.createEventObject"; nocase; content:".innerHTML"; within:100; nocase; content:"="; within:2; content:"|22 22|"; within:3; content:"window.setInterval"; distance:0; nocase; classtype:attempted-user; reference:cve,2010-0249; reference:url,doc.emergingthreats.net/2010799; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; sid:2010799; rev:2;)

#kevin ross
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Microsoft Internet Explorer iepeers.dll Remote Code Execution Attempt (CVE-2010-0806)"; flow:established,to_client; content:"document.createElement"; nocase; content:".addBehavior"; nocase; within:100; content:"document.appendChild"; nocase; distance:0; classtype:attempted-user; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSIE; sid:2010931; rev:2;)

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 1"; flow:to_server,established; content:"s|00|p|00|_|00|r|00|e|00|p|00|l|00|w|00|r|00|i|00|t|00|e|00|t|00|o|00|v|00|a|00|r|00|b|00|i|00|n"; nocase; classtype:attempted-user; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL; sid:2008909; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"ET CURRENT_EVENTS MSSQL sp_replwritetovarbin - potential memory overwrite case 2"; flow:to_server,established; content:"sp_replwritetovarbin"; nocase; classtype:attempted-user; reference:url,archives.neohapsis.com/archives/fulldisclosure/2008-12/0239.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSSQL; sid:2008910; rev:2;)


#by David Wharton
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft DirectShow ActiveX Load"; flow:to_client,established; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009490; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft DirectShow ActiveX Exploit Attempt"; flow:to_client,established; content:"clsid"; nocase; content:"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF"; nocase; content:"omybro"; nocase; content:"logo.gif"; nocase; reference:url,csis.dk/dk/nyheder/nyheder.asp?tekstID=799; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009491; rev:3;)

#by anonymous #1
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely MSVIDCTL.dll exploit in transit"; flow:to_client,established; content:"|00 03 00 00 11 20 34|"; content:"|ff ff ff ff 0c 0c 0c 0c 00|"; within:70; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=6733; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=18595; reference:url,doc.emergingthreats.net/2009493; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009493; rev:3;)

#by wolvee
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (29)"; flow:to_client,established; content:"clsid"; nocase; content:"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009598; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (30)"; flow:to_client,established; content:"clsid"; nocase; content:"AD8E510D-217F-409B-8076-29C5E73B98E8"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*AD8E510D-217F-409B-8076-29C5E73B98E8/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009599; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (31)"; flow:to_client,established; content:"clsid"; nocase; content:"B0EDF163-910A-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B0EDF163-910A-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009600; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (32)"; flow:to_client,established; content:"clsid"; nocase; content:"B64016F3-C9A2-4066-96F0-BD9563314726"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*B64016F3-C9A2-4066-96F0-BD9563314726/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009601; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (33)"; flow:to_client,established; content:"clsid"; nocase; content:"BB530C63-D9DF-4B49-9439-63453962E598"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*BB530C63-D9DF-4B49-9439-63453962E598/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009602; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009602; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (34)"; flow:to_client,established; content:"clsid"; nocase; content:"C531D9FD-9685-4028-8B68-6E1232079F1E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C531D9FD-9685-4028-8B68-6E1232079F1E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009603; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009603; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (35)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCC-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCC-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009604; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009604; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (36)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCD-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCD-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009605; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009605; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (37)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCE-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCE-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009606; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009606; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (38)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CCF-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CCF-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009607; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (39)"; flow:to_client,established; content:"clsid"; nocase; content:"C5702CD0-9B79-11D3-B654-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C5702CD0-9B79-11D3-B654-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009608; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009608; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (40)"; flow:to_client,established; content:"clsid"; nocase; content:"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009609; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009609; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (41)"; flow:to_client,established; content:"clsid"; nocase; content:"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*CAAFDD83-CEFC-4E3D-BA03-175F17A24F91/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009610; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009610; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (42)"; flow:to_client,established; content:"clsid"; nocase; content:"D02AAC50-027E-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*D02AAC50-027E-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009611; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (43)"; flow:to_client,established; content:"clsid"; nocase; content:"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*F9769A06-7ACA-4E39-9CFB-97BB35F0E77E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009612; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (44)"; flow:to_client,established; content:"clsid"; nocase; content:"FA7C375B-66A7-4280-879D-FD459C84BB02"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*FA7C375B-66A7-4280-879D-FD459C84BB02/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009613; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009613; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (1)"; flow:to_client,established; content:"clsid"; nocase; content:"011B3619-FE63-4814-8A84-15A194CE9CE3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*011B3619-FE63-4814-8A84-15A194CE9CE3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009614; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009614; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (2)"; flow:to_client,established; content:"clsid"; nocase; content:"0149EEDF-D08F-4142-8D73-D23903D21E90"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0149EEDF-D08F-4142-8D73-D23903D21E90/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009615; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009615; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (3)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E5-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E5-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009616; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009616; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (4)"; flow:to_client,established; content:"clsid"; nocase; content:"0369B4E6-45B6-11D3-B650-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*0369B4E6-45B6-11D3-B650-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009617; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009617; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (5)"; flow:to_client,established; content:"clsid"; nocase; content:"055CB2D7-2969-45CD-914B-76890722F112"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*055CB2D7-2969-45CD-914B-76890722F112/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009618; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009618; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (6)"; flow:to_client,established; content:"clsid"; nocase; content:"15D6504A-5494-499C-886C-973C9E53B9F1"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*15D6504A-5494-499C-886C-973C9E53B9F1/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009619; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009619; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (7)"; flow:to_client,established; content:"clsid"; nocase; content:"1BE49F30-0E1B-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1BE49F30-0E1B-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009620; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (8)"; flow:to_client,established; content:"clsid"; nocase; content:"1C15D484-911D-11D2-B632-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1C15D484-911D-11D2-B632-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009621; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (9)"; flow:to_client,established; content:"clsid"; nocase; content:"1DF7D126-4050-47F0-A7CF-4C4CA9241333"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*1DF7D126-4050-47F0-A7CF-4C4CA9241333/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009622; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (10)"; flow:to_client,established; content:"clsid"; nocase; content:"2C63E4EB-4CEA-41B8-919C-E947EA19A77C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*2C63E4EB-4CEA-41B8-919C-E947EA19A77C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009623; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (11)"; flow:to_client,established; content:"clsid"; nocase; content:"334125C0-77E5-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*334125C0-77E5-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009624; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009624; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (12)"; flow:to_client,established; content:"clsid"; nocase; content:"37B0353C-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B0353C-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009625; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009625; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (13)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03543-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03543-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009626; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (14)"; flow:to_client,established; content:"clsid"; nocase; content:"37B03544-A4C8-11D2-B634-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*37B03544-A4C8-11D2-B634-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009627; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009627; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (15)"; flow:to_client,established; content:"clsid"; nocase; content:"418008F3-CF67-4668-9628-10DC52BE1D08"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*418008F3-CF67-4668-9628-10DC52BE1D08/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009628; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (16)"; flow:to_client,established; content:"clsid"; nocase; content:"4A5869CF-929D-4040-AE03-FCAFC5B9CD42"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*4A5869CF-929D-4040-AE03-FCAFC5B9CD42/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009629; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009629; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (17)"; flow:to_client,established; content:"clsid"; nocase; content:"577FAA18-4518-445E-8F70-1473F8CF4BA4"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*577FAA18-4518-445E-8F70-1473F8CF4BA4/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009630; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (18)"; flow:to_client,established; content:"clsid"; nocase; content:"59DC47A8-116C-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*59DC47A8-116C-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009631; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009631; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (19)"; flow:to_client,established; content:"clsid"; nocase; content:"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*7F9CB14D-48E4-43B6-9346-1AEBC39C64D3/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009632; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009632; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (20)"; flow:to_client,established; content:"clsid"; nocase; content:"823535A0-0318-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*823535A0-0318-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009633; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009633; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (21)"; flow:to_client,established; content:"clsid"; nocase; content:"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8872FF1B-98FA-4D7A-8D93-C9F1055F85BB/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009634; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009634; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (22)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4C-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4C-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009635; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009635; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (23)"; flow:to_client,established; content:"clsid"; nocase; content:"8A674B4D-1F63-11D3-B64C-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*8A674B4D-1F63-11D3-B64C-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009636; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009636; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (24)"; flow:to_client,established; content:"clsid"; nocase; content:"9CD64701-BDF3-4D14-8E03-F12983D86664"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9CD64701-BDF3-4D14-8E03-F12983D86664/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009638; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (25)"; flow:to_client,established; content:"clsid"; nocase; content:"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*9E77AAC4-35E5-42A1-BDC2-8F3FF399847C/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009639; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009639; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (26)"; flow:to_client,established; content:"clsid"; nocase; content:"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009640; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009640; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (27)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E3074E-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E3074E-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009641; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009641; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Vulnerable Microsoft Video ActiveX CLSID access (28)"; flow:to_client,established; content:"clsid"; nocase; content:"A2E30750-6C3D-11D3-B653-00C04F79498E"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*A2E30750-6C3D-11D3-B653-00C04F79498E/si"; reference:url,microsoft.com/technet/security/advisory/972890.mspx; classtype:web-application-attack; reference:url,doc.emergingthreats.net/2009642; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MSVidCtl; sid:2009642; rev:2;)

#by Christopher Campesi
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET CURRENT_EVENTS Remote SMB2.0 DoS Exploit"; flow:to_server,established; content:"|ff|SMB|72 00 00 00 00 18 53 c8|"; offset:4; content:!"|00 00|"; within:2; classtype:attempted-dos; reference:url,securityreason.com/exploitalert/7138; reference:url,doc.emergingthreats.net/2009886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_SMB_DOS; sid:2009886; rev:4;)

#by Chandan at Secpod
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (1)"; flow:to_client,established; content:"clsid"; nocase; content:"F0E42D50-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008407; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008407; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (2)"; flow:to_client,established; content:"clsid"; nocase; content:"F0E42D60-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008408; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any ( msg:"ET CURRENT_EVENTS Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download (3)"; flow:to_client,established; content:"clsid"; nocase; content:"F2175210-368C-11D0-AD81-00A0C90DC8D9"; nocase; pcre:"/(SnapshotPath|CompressedPath|PrintSnapshot)/i"; pcre:"/(exe|bat|com|dll|ini)/i"; reference:bugtraq,30114; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/30114.html;reference:url,pstgroup.blogspot.com/2008/07/exploitmicrosoft-office-snapshot-viewer.html; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_MS_Snapshot; sid:2008409; rev:2;)

#by Jamie Blasco of OSSIM based on malwareurl.com data

#174 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - Antivirus_21.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/download/Antivirus_"; nocase; uricontent:".exe"; nocase; pcre:"/download\x2FAntivirus_\d+\x2Eexe/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010050; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010050; rev:3;)

#139 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/install/ws.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010051; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010051; rev:2;)

#105 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - ws.zip"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/install/ws.zip"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010052; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010052; rev:2;)

#139 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely FakeRean Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installer/InstallerClean.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010053; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010053; rev:2;)

#117
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (codex.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/codec.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010054; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010054; rev:2;)

#107
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (pcdef.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/pcdef.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010055; rev:2;)

#93 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely TDSS Download (197.exe)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/codec/197.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010056; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010056; rev:2;)

#91 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - installpv.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installpv.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010057; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010057; rev:2;)

#70 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Unknown Trojan Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/softwarefortubeview.40009.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010058; rev:2;)

#56 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely Unknown Trojan Infostealer Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/crack.45000.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010059; rev:2;)

#51 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TROJAN Likely Possible Rogue A/V Win32/FakeXPA Download"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/Soft_21.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010060; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010060; rev:2;)

#47 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - InternetAntivirusPro.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/InternetAntivirusPro.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010061; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010061; rev:2;)

#30 ocurrences
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - AntivirusPlus.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/AntivirusPlus.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010062; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010062; rev:2;)

#by evilghost 11/2/09
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential exploit redirect, in.cgi pepsi"; flow:established,to_server; uricontent:"ts/in.cgi?pepsi"; pcre:"/ts\/in\.cgi\?pepsi\d+/U"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010222; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, flash-HQ-plugin.40000.exe"; flow:established,to_server; uricontent:"flash-HQ-plugin.40000.exe"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010440; rev:2;)

#by mike cox
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, pdf exploit"; flow:established,to_server; uricontent:"/ssp/files/annonce.pdf"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010444; sid:2010444; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, loadjavad.php exploit"; flow:established,to_server; uricontent:"/ssp/loadjavad.php"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010446; sid:2010446; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, rogue antivirus (IAInstall.exe)"; flow:established,to_server; uricontent:"/download/IAInstall.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010447; sid:2010447; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, trojan zbot"; flow:established,to_server; uricontent:"/globaldirectory/updatetool.exe"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010448; sid:2010448; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Potential Malware Download, exploit redirect"; flow:established,to_server; uricontent:"/fkzd/2.htm"; nocase; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010449; sid:2010449; rev:2;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Potential Fake AV GET installer.1.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installer."; nocase; uricontent:".exe"; nocase; pcre:"/\/installer\.\d+\.exe/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010452; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010452; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Potential Fake AV GET installer_1.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/installer_"; nocase; uricontent:".exe"; nocase; pcre:"/\/installer_\d+\.exe/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,doc.emergingthreats.net/2010453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010453; rev:3;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Fake AV Download (download/install.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"download/install.php"; pcre:"/\x0d\x0aHost\: [a-z\x2e]+(security|virus|pro|anti|scan|mypc|total|protect|check|guard|defend)/i"; classtype:trojan-activity; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2009-December/004891.html; reference:url,malwareurl.com; reference:url,www.malwaredomainlist.com; reference:url,doc.emergingthreats.net/2010465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010465; rev:2;)

#by mike cox
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malwareurl.com - potential oficla download (annonce.pdf)";flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/ssp/files/annonce.pdf"; nocase; pcre:"/\/ssp\/files\/annonce\.pdf$/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010532; sid:2010532; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malwareurl.com - potential oficla download (loadjavad.php)";flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/ssp/loadjavad.php"; nocase; pcre:"/\/ssp\/loadjavad\.php$/Ui"; classtype:trojan-activity; reference:url,www.malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010534; sid:2010534; rev:2;)

#by waldo kitty
#149 occurances
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - Setup_2005.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/download/Setup_"; nocase; uricontent:".exe"; nocase; pcre:"/download\x2FSetup_\d+\x2Eexe/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/xxxxxxx; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010684; rev:1;)

#155 occurances
#by waldo kitty
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Likely Rogue Antivirus Download - IAInstall.exe (InternetAntivirusPro)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/download/IAInstall"; nocase; uricontent:".exe"; nocase; pcre:"/download\x2FIAInstall\x2Eexe/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/xxxxxxx; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010685; rev:1;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malwareurl - wywg executable download Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/wywg/"; nocase; uricontent:".exe"; nocase; pcre:"/\/wywg\/[a-z0-9]{2,5}\/[a-z0-9]+\.exe$/Ui"; classtype:trojan-activity; reference:url,malwareurl.com; reference:url,doc.emergingthreats.net/2010716; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; sid:2010716; rev:2;)

#by Mike Cox
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALWARE Unknown Malware Download Attempt"; flow:established,to_server; uricontent:"/installer/Installer"; nocase; uricontent:".exe"; nocase; pcre:"/\/\d+\/installer\/Installer(Clean)?\.exe$/Ui"; classtype:bad-unknown; reference:url,malwareurl.com; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Malwareurl_top_downloads; reference:url,doc.emergingthreats.net/2010796; sid:2010796; rev:2;)

#by matt jonkman, re http://www.incidents.org/diary.html?storyid=4405
# Mass File Injection attacks
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Client Visiting Possibly Compromised Site (HaCKeD By BeLa & BodyguarD)"; flow:established,from_server; content:"HaCKeD By BeLa & BodyguarD"; content:".js"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008206; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections; sid:2008206; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible File Injection Compromise (HaCKeD By BeLa & BodyguarD)"; flow:established,to_server; content:"HaCKeD By BeLa & BodyguarD"; reference:url,www.incidents.org/diary.html?storyid=4405; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008207; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Mass_File_Injections; sid:2008207; rev:2;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NACHA/Zeus Phishing Executable Download Attempt"; flow:established,to_server; content:"GET "; depth:4; content:"nacha.org."; nocase; uricontent:".exe"; nocase; pcre:"/\x0d\x0aHost\: (www\.)?nacha\.org\./i"; classtype:trojan-activity; reference:url,garwarner.blogspot.com/2009/11/newest-zeus-nacha-electronic-payments.html; reference:url,doc.emergingthreats.net/2010342; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Nacha; sid:2010342; rev:3;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit Exploit Kit Java exploit drive-by host likely infected (kav)"; flow:established,to_server; uricontent:"/kav"; nocase; content:"|0d 0a|accept-encoding\: pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type\: application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a|User-Agent\: Mozilla"; nocase; content:" Java/"; nocase; within:50; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010870; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Neosploit; sid:2010870; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit Exploit Kit Java exploit drive-by host likely infected (nte)"; flow:established,to_server; uricontent:"/nte/"; nocase; content:"|0d 0a|accept-encoding\: pack200-gzip,gzip|0d 0a|"; nocase; content:"|0d 0a|content-type\: application/x-java-archive|0d 0a|"; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a|User-Agent\: Mozilla"; nocase; content:" Java/"; nocase; within:50; classtype:trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?action=printpage%3btopic=3781.0; reference:url,doc.emergingthreats.net/2010871; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Neosploit; sid:2010871; rev:4;)

#by Nate Hausrath
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Pinkslipbot Trojan Downloader"; flow:to_server,established; uricontent:"/jl/jloader.pl?u="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010742; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Pinkslipbot; sid:2010742; rev:2;)

#by Paul Dokas. Testing this out for a bit..., modified by kevin ross

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nginx Serving PDF - Possible hostile content (PDF)"; flow:established,from_server; content:"HTTP/1."; depth:7; content:"|0d 0a|Server|3a| nginx"; nocase; distance:4; within:300; content:"Content-Type|3a| application/pdf"; nocase; within: 400; content:"Content-Disposition|3a| inline"; nocase; within: 400; threshold:type limit, seconds 60, count 10, track by_src; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2009076; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Possible_Malicious_PDF; sid:2009076; rev:4;)

##Jaime Blasco Alienvault VRT
#PSYB0T related Activity
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Psyb0t Code Download"; flow:established,to_server; uricontent:"/udhcpc.env"; nocase; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009170; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Psyb0t Bot Nick"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK [NIP]-.*/i"; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009171; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009171; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Psyb0t joining an IRC Channel"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"JOIN #mipsel"; classtype:trojan-activity; reference:url,www.adam.com.au/bogaurd/PSYB0T.pdf; reference:url,doc.emergingthreats.net/2009172; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Psybot; sid:2009172; rev:2;)


# New variant by Frank Knobbe
# GET /roundcube/bin/msgimport /rc/bin/msgimport /bin/msgimport /mail/bin/msgimport /webmail/bin/msgimport
# and GET /nonexistenshit
# Just using /bin/msgimport for simplicity
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2"; flow:to_server,established; uricontent:"/bin/msgimport"; nocase; classtype:attempted-recon; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2008990; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2008990; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Scan Variant 2 Error Check"; flow:to_server,established; uricontent:"/nonexistenshit"; nocase; classtype:attempted-recon; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2008991; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2008991; rev:2;)

#by David Wharton
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 1"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php HTTP/1."; nocase; content:"Accept|3a| ZWNobyAoMzMzMjEyKzQzMjQ1NjY2KS4iICI7O3Bhc3N0aHJ1KCJ1bmFtZSAtYTtpZCIpOw=="; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2009006; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2009006; rev:3;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 2"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php HTTP/1."; nocase; content:"echo (333212+43245666).|22| |22|\;\;passthru(|22|uname -a\;id|22|)\;"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2009007; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2009007; rev:2;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Roundcube Vulnerability Exploit Attempt 3"; flow:to_server,established; content:"POST /roundcube/bin/html2text.php HTTP/1."; nocase; content:"<b>{${EVAL(BASE64_DECODE($_SERVER[HTTP_ACCEPT]))}}</b>"; classtype:attempted-admin; reference:url,isc.sans.org/diary.html?storyid=5599; reference:url,doc.emergingthreats.net/bin/view/Main/2009008; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Roundcube; sid:2009008; rev:2;)

#by Jeffrey Brown. re 308c6885573ce652bab37c739f52cb19
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS New Malware Information Post"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a|Pragma\: no-cache|0d 0a 0d 0a|"; content:"|C9 78 C7 02 69 06 7E 34 78 17|"; distance:4; within:14; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Rusibank.com; sid:2009092; rev:2;)

#by Michael Sconzo of ERCOT
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (jpeg) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/jpeg"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/jpeg/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008313; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (gif) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/gif"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/gif/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008314; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Iframe in Purported Image Download (png) - Likely SQL Injection Attacks Related"; flow:established,from_server; content:"|0d 0a|content-type|3a| "; nocase; content:" image/png"; nocase; distance:0; within:30; content:"<iframe"; nocase; distance:0; pcre:"/content-type\:\s+image\/png/im"; pcre:"/<iframe.*?src.*?>.*?<\/iframe>/im"; classtype:web-application-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2008315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008315; rev:4;)

#Greg Martin
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ASPROX Infected Site - ngg.js Request"; flow:established,to_server; uricontent:"/ngg.js"; content:!"nextgen-gallery"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; reference:url,doc.emergingthreats.net/bin/view/Main/2008373; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008373; rev:3;)

#by Jack Pepper
#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/ngg.js)"; flow:established,from_server; content:"<script src=http\://"; nocase; content:!"nextgen-gallery"; within:15; content:"/ngg.js>"; within:50; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008387; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; reference:url,infosec20.blogspot.com/2008/07/asprox-payload-morphed.html; sid:2008387; rev:4;)
#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Possible ASPROX Hostile JS Being Served by a Local Webserver (/b.js)"; flow:established,from_server; content:"<script src=http\://"; nocase; content:"/b.js>"; within:50; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_SQL_Injections; sid:2008388; rev:3;)

#by Pedro Marinho, re 58816f781154bda381fdcb1e3fab7bdd
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unnamed - kuaiche.com related"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/config/fgun_install_"; content:"|0d 0a|User-Agent\: NSI SDL/1.2 (Mozilla)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008359; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008359; rev:3;)

#different trojan, by marcus at unsober
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Keylogger checkin"; flow:established; content:"GET "; depth:4; uricontent:"?mail="; uricontent:"subject=Keylogger"; uricontent:"&body="; content:"|0d 0a|User-Agent|3a| Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008368; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008368; rev:3;)


#Another unknown, needs a name. Sig by Pedro Marinho
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Unknown Initial Checkin"; flow:established,to_server; dsize:<5; content:"id="; depth:3; flowbits:noalert; flowbits:set,ET.unknid; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008496; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Unknown Checkin"; flowbits:isset,ET.unknid; flow:established,to_server; dsize:100<>200; content:"&idate="; content:"&os="; content:"&wmid="; content:"&msg="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008497; rev:2;)


# Unknown handshake over SMTP discovered by Thierry Chich and reported on mail list. Added by Frank Knobbe 2008-09-17.
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Suspicious SMTP handshake outbound"; flow:established,to_server; content:"001 RUTHERE"; depth:11; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008562; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008562; rev:3;)
alert tcp $EXTERNAL_NET 25 -> $HOME_NET any (msg:"ET TROJAN Suspicious SMTP handshake reply"; flow:established,from_server; content:"701 IMHERE"; depth:10; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan; sid:2008563; rev:3;)

#by Victor Julien
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET CURRENT_EVENTS Unknown Keepalive out"; flow:established,to_server; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:set,ET.unknownkeepaliveup; flowbits:noalert; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008779; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008779; rev:4;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Keepalive in"; flow:established,to_client; dsize:5; content:"|17 24 1B 00 00|"; flowbits:isnotset,ET.teamviewerkeepaliveout; flowbits:isset,ET.unknownkeepaliveup; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Unknown_trojan3; sid:2008780; rev:4;)

#by jerry
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot update (av-i386-daily.zip)"; flow:established,to_server; uricontent:"av_base/av-i386-daily.zip"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; classtype:trojan-activity; sid:2010568; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot update (av_base/pay.php)"; flow:established,to_server; uricontent:"av_base/pay.php"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010566; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; classtype:trojan-activity; sid:2010566; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot update (av_base/ip.php)"; flow:established,to_server; uricontent:"av_base/ip.php"; nocase; reference:url,www.threatexpert.com/report.aspx?md5=06e69bfb6fffa17c4fc1e23af71b345c; reference:url,doc.emergingthreats.net/2010567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; classtype:trojan-activity; sid:2010567; rev:3;)

#by spooker
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zeus Bot / Zbot Checkin (/us01d/in.php)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/us01d/in.php"; reference:url,garwarner.blogspot.com/2010/01/american-bankers-association-version-of.html; reference:url,doc.emergingthreats.net/2010729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_Zeus; classtype:trojan-activity; sid:2010729; rev:3;)

#by anon 4
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/perce/"; uricontent:"/qwerce.gif"; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010231; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010231; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/werber/"; uricontent:"/217.gif"; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010232; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010232; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack Encrypted GIF download"; flow:established,to_server; uricontent:"/item/"; uricontent:"/titem.gif"; content:"GET "; depth:4; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,blog.threatfire.com/2009/06/streamviewers-gif-images-embedded-with-encrypted-malware.html; reference:url,doc.emergingthreats.net/2010233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010233; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/senm.php?data="; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,doc.emergingthreats.net/2010234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010234; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/perce/"; uricontent:"/qwerce.gif"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010235; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/werber/"; uricontent:"/217.gif"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010236; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010236; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/item/"; uricontent:"/titem.gif"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,doc.emergingthreats.net/2010237; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010237; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/report.php?data="; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,doc.emergingthreats.net/2010238; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010238; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/arrows/"; uricontent:"/arrow_up.gif"; content:"POST "; depth:5; content:"data="; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,vil.nai.com/vil/content/v_157489.htm; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOAD.TID&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=316fd88ac18d21889b1dbf9b979c1959; reference:url,doc.emergingthreats.net/2010239; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_fakealerts; sid:2010239; rev:3;)

#by matt jonkman
alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"ET CURRENT_EVENTS Infected System Looking up chr.santa-inbox.com CnC Server"; content:"|03|chr|0b|santa-inbox|03|com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/CURRENT_EVENTS/CURRENT_santa-inbox.com; sid:2008531; rev:2;)

#Submitted by Jason Haar
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Update Engine"; flow: to_server,established; content:"GET"; depth: 3; content:"Host|3a|"; within: 300; content:".180solutions.com"; within: 40; reference:url,www.safer-networking.org/index.php?page=threats&detail=212; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000930; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2000930; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event reported)"; flow: to_server,established; uricontent:"/TrackedEvent.aspx?"; nocase; uricontent:"eid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001397; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001397; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (action url reported)"; flow: to_server,established; uricontent:"/actionurls/ActionUrl"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001399; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Reporting"; flow: to_server,established; uricontent:"/showme.aspx?"; nocase; uricontent:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2001400; rev:8;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Keywords Download"; flow: to_server,established; uricontent:"keywords/kyf"; nocase; content:"partner_id="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002001; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002001; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Install"; flow: to_server,established; uricontent:"/downloads/installers/"; nocase; content:"simpleinternet/180sainstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002003; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002003; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Defs Download"; flow: to_server,established; uricontent:"/geodefs/gdf"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002048; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002048; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware config Download"; flow: to_server,established; uricontent:"/config.aspx?did="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002099; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002099; rev:4;)

#By M Shirk from Listening Post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware versionconfig POST"; flow:to_server,established; uricontent:"/versionconfig.aspx?"; uricontent:"&ver="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2002354; rev:4;)

#Matt Jonkman. Bundled from Warner Brothers Kids site.. can you believe that crap? Guess where my kids WON'T be spending my money....
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware Actionlibs Download"; flow:to_server,established; uricontent:"/actionurls/ActionUrlb"; nocase; uricontent:"partnerid="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003057; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003057; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Download"; flow:to_server,established; uricontent:"/Zango/ZangoInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003058; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003058; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware TB Installer Download"; flow:to_server,established; uricontent:"/ZangoTBInstaller.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003059; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003059; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Local Stats Post"; flow:to_server,established; uricontent:"/php/rpc_uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003060; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003060; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Event Activity Post"; flow:to_server,established; uricontent:"/php/uci.php"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003061; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003061; rev:3;)

#New zango url
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware Activity"; flow:to_server,established; uricontent:"/banman/banman.asp?ZoneID="; nocase; uricontent:"&Task="; nocase; uricontent:"&X="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003170; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003170; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; uricontent:"config.aspx"; nocase; uricontent:"?ver="; nocase; content:"HTTP"; nocase; content:!"User-Agent\: "; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003217; rev:5;)

#more from the spywarelp
#Matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions Spyware (tracked event 2 reporting)"; flow: to_server,established; uricontent:"/trackedevent.aspx?"; nocase; uricontent:"ver="; nocase; uricontent:"&pkg_ver="; nocase; uricontent:"&rnd="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003306; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware (tbrequest data post)"; flow: to_server,established; uricontent:"/tbrequest"; nocase; uricontent:"&q="; nocase; pcre:"/\/tbrequest\d+\.php/Ui"; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003610; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid: 2003610; rev:3;)

#by Russ McRee
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zango Spyware Post"; flow:to_server,established; uricontent:"/te.aspx?ver="; nocase; pcre:"/ver=[v\d]+/Ui"; reference:url,usa.kaspersky.com/about-us/news-press-releases.php?smnr_id=900000045; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_180Solutions; sid:2007607; rev:4;)

#Submitted by Joel Esler
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware 2020"; flow: to_server,established; content:"|48 6F 73 74 3A 20 77 77 77 2E 32 30 32 30 73 65 61 72 63 68 2E 63 6F 6D|"; content:"|49 70 41 64 64 72|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.2020search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000327; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid: 2000327; rev:9;)
#
#Submitted by Jason Haar
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; depth: 4; content:"srng/reg.php HTTP"; within: 50; content:"|0d0a|Host|3a|"; content:"2020search.com"; within: 40; content:"IpAddr="; nocase; within: 100; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid: 2000934; rev:7;)

# by: Jeremy Conway at sudosecure.net
#ref: 2b8175726f2dde727132299992dafbe9
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search/PowerSearch Toolbar Adware/Spyware - GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:"IpAddr="; nocase; uricontent:"&OS="; nocase; uricontent:"&RegistryChanged="; nocase; uricontent:"&RegistryUpdate="; nocase; uricontent:"&NewInstallation="; nocase; uricontent:"&utilMissing="; nocase; uricontent:"&Basedir="; nocase; uricontent:"&BundleID="; nocase; uricontent:"&InitInstalled="; nocase; uricontent:"&Interval="; nocase; uricontent:"&LastInitRun="; nocase; uricontent:"&LastInitVer="; nocase; uricontent:"&LastSrngRun="; nocase; uricontent:"&LastUtilRun="; nocase; uricontent:"&SrngInstalled="; nocase; uricontent:"&SrngVer="; nocase; uricontent:"&UtilInstalled="; nocase; uricontent:"&UtilVer="; nocase; uricontent:"&PCID"; nocase; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_103738.htm; reference:url,www.sunbeltsecurity.com/ThreatDisplay.aspx?tid=13811&cs=1437A28B7A90C4C502B683CE6DE23C4E; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-111918-0210-99; reference:url,doc.emergingthreats.net/2009807; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2020search; sid:2009807; rev:2;)

#Submitted by Chris Norton
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 2nd-thought (W32.Daqa.C) Download"; flow: from_server,established; content:"|67 6f 69 64 72 2e 63 61 62|"; nocase; content:"|48 6f 73 74 3a 20 77 77 77 2e 77 65 62 6e 65 74 69 6e 66 6f 2e 6e 65 74|"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.secondthought.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_2nd-Thought; sid: 2001447; rev:7;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update"; flow:established,to_server; uricontent:"/?fixtool="; nocase; content:"GET /?fixtool="; offset:0; depth:16; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_360safe.com; sid:2008036; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; uricontent:"/?KillerSet="; nocase; content:"GET /?KillerSet="; offset:0; depth:16; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_360safe.com; sid:2008149; rev:3;)

#from spyware listening post data, by matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 51yes.com Spyware Reporting User Activity"; flow:established,to_server; uricontent:"/sa.aspx?id="; nocase; uricontent:"&refe=http"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003620; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_51yes.com; sid:2003620; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (popup)"; flow: established,to_server; uricontent:"/cgi-bin/PopupV"; nocase; uricontent:"?ID={"; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001730; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_A-d-w-a-r-e.com; sid: 2001730; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE A-d-w-a-r-e.com Activity (cmd)"; flow: established,to_server; uricontent:"/app/VT00/ucmd.php?V="; nocase; reference:url,www.a-d-w-a-r-e.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_A-d-w-a-r-e.com; sid: 2001735; rev:7;)

#By Mark Tombaugh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ABX Toolbar ActiveX Install"; flow: to_server,established; uricontent:"/abx_search_webinstall/abx_search.cab"; nocase; reference:url,isc.sans.org/diary.php?date=2005-03-04; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001761; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ABX_Toolbar; sid: 2001761; rev:5;)

#By Matt Jonkman, From spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abcsearch.com Spyware Reporting"; flow:established,to_server; uricontent:"/cgi-bin/search/mxml.fcgi?"; nocase; uricontent:"Terms="; nocase; uricontent:"&affiliate="; nocase; uricontent:"&subid="; nocase; uricontent:"&Hits_Per_Page="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abcsearch.com; sid:2003438; rev:3;)

#Submitted by cooljay
alert tcp $EXTERNAL_NET 20 -> $HOME_NET any (msg:"ET MALWARE Abox Download"; flow: established,to_server; content:"|5c 00 43 00 61 00 72 00 6d 00 65 00 6e 00 00 00 16 00 00 00 73 00 75 00 63|"; nocase; offset: 160; depth: 26; tag: host,1,packets,src; flowbits: set,tagged; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abox; sid: 2001440; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Abox Install Report"; flow: to_server,established; uricontent:"&time="; nocase; uricontent:"/new_install?id="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.adultbox.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001441; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Abox; sid: 2001441; rev:11;)

#by Matt Jonkman from Listening Post Data
#Disabling, obsoleting. To be delleted in a month or so
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; uricontent:"/promo/affiframe.jsp?Pid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adultfriendfinder.com; sid:2002353; rev:4;)

#by Philipp Bescht
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Updating"; flow:established,to_server; uricontent:"/cnconfig.gz?ct="; uricontent:"&bp="; uricontent:"&vs="; uricontent:"&country="; uricontent:"&grp="; uricontent:"&tcpc="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advert-network.com; sid:2008419; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advert-network.com Related Spyware Checking for Updates"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/check.php?tcpc="; content:!"|0d 0a|User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advert-network.com; sid:2008425; rev:2;)

#by Matt Jonkman
#spyware, from the sandnet
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Initial Checkin"; flow:to_server,established; uricontent:"?UID="; nocase; uricontent:"&DIST="; nocase; uricontent:"&NPR="; nocase; content:"User-Agent\: Microsoft URL Control"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertisementserver.com; sid:2007601; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; uricontent:"monitor.php"; nocase; uricontent:"?UID="; nocase; pcre:"/UID=\d+/Ui"; content:"User-Agent\: Microsoft URL Control"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertisementserver.com; sid:2007602; rev:4;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (villains)"; flow: to_server,established; uricontent:"/Games/villains.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001228; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2001228; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Data Post (cakedeal)"; flow: to_server,established; uricontent:"/Games/cakedeal.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001230; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2001230; rev:8;)
#From Listening Post data
#Hits on normal ads, not reporting data
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertising.com Reporting Data"; flow: to_server,established; pcre:"/\/site=\d+\/mnum=\d+\/bins=\d+\/rich=\d+\/logs=\d+\/betr=/Ui"; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.fastseek.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Advertising.com_Bot; sid: 2002304; rev:3;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware Command Client Checkin"; flow: to_server,established; uricontent:"/client.php?str="; nocase; content:"User-Agent\: "; nocase; content:"Indy Library)"; within:30; nocase; classtype: policy-violation; reference:url,www.nuker.com/container/details/adware_command.php; reference:url,doc.emergingthreats.net/bin/view/Main/2003446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adware_Command; sid: 2003446; rev:4;)

#by pedro Marinho
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Generic Adware Install Report"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/nsi_install.php?inst_result=success&aff_id="; uricontent:"&id=";nocase; reference:url,doc.emergingthreats.net/2010630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adware_Command; classtype:trojan-activity; sid:2010630; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adwave Agent Access"; flow: to_server,established; uricontent:"/search_404.aspx?aff="; nocase; classtype: policy-violation; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adwave; sid: 2001318; rev:7;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wintools Download/Configure"; flow: to_server,established; uricontent:"/WTools"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,www.intermute.com/spyware/HuntBar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Adwave; sid: 2001450; rev:11;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".ak-networks.com"; nocase; within: 30; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001529; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001529; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Download"; flow: to_server,established; uricontent:"/SyncAkSoft.da_"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001530; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001530; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ak-networks.com Spyware Code Install"; flow: to_server,established; uricontent:"/akcore.dl_"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ak-networks.com; sid: 2001737; rev:6;)

#by Matt Jonkman from listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL"; flow:established,to_server; uricontent:"/image_server.cgi?size=small&url=http\:/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002349; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2002349; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting"; flow:established,to_server; uricontent:"/data?"; nocase; uricontent:"cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&uid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003219; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003219; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Reporting URL Visited"; flow:established,to_server; uricontent:"/data/"; nocase; uricontent:"&cli="; nocase; uricontent:"&dat="; nocase; uricontent:"&ver="; nocase; uricontent:"&url="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003606; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003606; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Alexa Spyware Redirecting User"; flow:established,to_server; uricontent:"/redirect?http"; nocase; content:"Host\: redirect.alexa.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003619; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Alexa; sid:2003619; rev:3;)

#Modified and added to by Matt Jonkman (Original author missing)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Start"; flow: to_server,established; uricontent:"/pm/start.asp"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000906; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Data Submission"; flow: to_server,established; uricontent:"/backoffice.net/stats/Add.aspx"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000598; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Altnet PeerPoints Manager Settings Download"; flow: to_server,established; uricontent:"/pointsmanager/settings.cab?"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000907; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Altnet_Peerpoint_Manager_Traffic; sid: 2000907; rev:9;)

#fake antispyware package, sig by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; uricontent:"/stat.php?machine_id={"; nocase; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Anti-virus-pro.com; sid:2007886; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres Agent Receiving Instructions"; flow: to_server,established; uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000903; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Avres; sid: 2000903; rev:6;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BTGrab.com Spyware Downloading Ads"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent:"adcontext="; nocase; reference:url,www.btgrab.com; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090726; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BTGrab.com; sid: 2001999; rev:7;)

#Matt Jonkman from spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Reporting"; flow:to_server,established; uricontent:"/update/barcab/"; nocase; classtype:policy-violation; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003340; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Content"; flow:to_server,established; uricontent:"/update/cab/loadmovie.swf"; nocase; content:"bar.baidu.com"; nocase; classtype:policy-violation; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003341; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Pulling Data"; flow:to_server,established; uricontent:"/cpro/ui/ui"; nocase; content:"baidu.com"; nocase; content:!"Referer\: "; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003578; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003578; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Bar Activity"; flow:to_server,established; uricontent:"/n?cmd="; nocase; uricontent:"&class="; nocase; uricontent:"&pn="; nocase; uricontent:"&tn"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003605; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003605; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Baidu.com Spyware Sobar Bar Activity"; flow:to_server,established; uricontent:"/sobar/sobar"; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/BaiDu/; reference:url,doc.emergingthreats.net/bin/view/Main/2003630; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Baidu.com; sid:2003630; rev:3;)

#by Jeremy at sudosecure.net
#ref: c182bfbaff0a5187c95020d4ae602ac0
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adaware.BarACE Checkin and Update"; flow:established,to_server; content:"GET "; depth:4; uricontent:"|2E|php|3F|zone="; nocase; uricontent:"|26|name="; nocase; uricontent:"|26|bpid="; nocase; uricontent:"|26|bnum="; nocase; uricontent:"|26|pid="; nocase; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-021714-2431-99&tabid=2; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_BarAce; sid:2008318; rev:3;)

#Submitted by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bargain Buddy"; flow: to_server,established; uricontent:"/download/bargin_buddy"; nocase; reference:url,www.doxdesk.com/parasite/BargainBuddy.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000574; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bargain_Buddy; sid: 2000574; rev:9;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Beautyscreens.com Related Spyware Install Success Report"; flow:established,to_server; uricontent:"ip="; nocase; uricontent:"&id="; nocase; uricontent:"&sid="; nocase; uricontent:"&snip="; nocase; uricontent:"&itemname="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008018; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Beautyscreens.com; sid:2008018; rev:2;)

#By John Stewart
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Begin2Search.com Spyware"; flow: to_server,established; content:"/cgi-bin/fav_del.fcgi?id"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.begin2search.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001885; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Begin2Search; sid: 2001885; rev:6;)

#Matt Jonkman, caught off of fastmp3search.com.ar
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Checkin"; flow:established,to_server; uricontent:"/checkin.php?"; nocase; uricontent:"unq="; nocase; uricontent:"version="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003209; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003209; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Install"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"&pais="; nocase; uricontent:"unq="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003210; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003210; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Best-targeted-traffic.com Spyware Ping"; flow:established,to_server; uricontent:"/ping.php?"; nocase; uricontent:"ul=http"; nocase; uricontent:"unq="; nocase; content:"User-Agent\: Opera "; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003211; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Best-Targeted-Traffic.com; sid:2003211; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Checkin"; flow:established,to_server; uricontent:"/adv/"; nocase; uricontent:"/adload.php?a1="; nocase; uricontent:"&a2=Type of Processor\:"; nocase; uricontent:"&a3=Windows version is "; nocase; uricontent:"&a4=Build\:"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002955; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Downloading vxgame"; flow:established,to_server; uricontent:"/vxgame1/vxv.php"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002956; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002956; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Initial Infection Download"; flow:established,to_server; uricontent:"/win32.exe"; nocase; pcre:"/\/adv\/\d+\/win32\.exe/Ui"; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002957; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2002957; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Exploit Download"; flow:established,to_server; uricontent:"/sploit.anr"; nocase; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2003153; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bestcount.net Spyware Data Upload"; flow:established,to_server; uricontent:"/objects/ocget.dll"; nocase; content:"mybest"; nocase; depth:150; reference:url,reports.internic.net/cgi/whois?whois_nic=bestcount.net&type=domain; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003154; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bestcount.net; sid:2003154; rev:4;)

#Submitted by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (download complete)"; flow: to_server,established; uricontent:"/download/cabs/"; nocase; uricontent:"download_complete.htm"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000366; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000366; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (set_pix)"; flow: to_server,established; uricontent:"/download/cabs/set_pix.php"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000367; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet (randreco.exe)"; flow: to_server,established; uricontent:"/download/cabs/RANDRECO/randreco.exe"; nocase; content:"abetterinternet.com"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000371; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000371; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Binet Ad Retrieval"; flow: to_server,established; uricontent:"/bba/flashimages/"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000593; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2000593; rev:7;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Download Attempt"; flow: to_server,established; uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001198; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001198; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Ad Retrieval"; flow: to_server,established; uricontent:"/twain/servlet/Twain?adcontext="; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001199; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001199; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Twaintec Reporting Data"; flow: to_server,established; uricontent:"/downloads/record_download.asp"; nocase; reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001216; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001216; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Upload"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPre"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001339; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001339; rev:7;)
#Data from Allison Macfarland
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE BInet Information Install Report"; flow: to_server,established; uricontent:"/bi/servlet/ThinstallPost"; nocase; reference:url,sarc.com/avcenter/venc/data/pf/adware.betterinternet.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Betterinternet; sid: 2001576; rev:6;)

#Submitted by Matt Jonkman
# Disabling this rule, it needs work. It's hitting on legit ad referrals
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bfast.com Spyware"; flow: to_server,established; uricontent:"/bfast/serve?bfmid"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001398; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bfast.com; sid: 2001398; rev:7;)

#from spyware LP data, by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bizconcept.info Spyware Checkin"; flow:to_server,established; content:"POST "; depth:5; nocase; uricontent:"/zuzu.php?&r="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2005319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bizconcept.info; sid:2005319; rev:3;)

#Submitted by Allison MacFarlan
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bonziportal Traffic"; flow: to_server,established; uricontent:"/bonziportal/bin/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59256; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bonzi; sid: 2001345; rev:7;)

#by Jeffrey Brown
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Borlander Adware Checkin"; flow:to_server,established; content:"GET "; depth:4; nocase; uricontent:"?t="; nocase; uricontent:"&i="; nocase; uricontent:"&v="; nocase; uricontent:"&d="; nocase; uricontent:"&a="; nocase; uricontent:"&n="; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Borlander.com.cn; sid:2008736; rev:2;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Download"; flow:established,to_server; uricontent:"/bravesentry.exe"; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002954; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2002954; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com Fake Antispyware Updating"; flow:established,to_server; uricontent:"/update.php?v="; nocase; uricontent:"&d="; nocase; uricontent:"&vs="; nocase; content:!"User-Agent\: "; content:"Host\: "; content:".bravesentry.com"; distance:0; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2003541; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bravesentry.com/Protectwin.com Fake Antispyware Reporting"; flow:established,to_server; uricontent:"/download.php?&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; content:!"User-Agent\: "; content:"Host\: "; content:".bravesentry.com"; distance:0; nocase; reference:url,www.bravesentry.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=BraveSentry&threatid=44152; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003542; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bravesentry; sid:2003542; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com Agent Reporting Data"; flow: to_server,established; uricontent:"/perl/ads.pl"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Browseraid; sid: 2001266; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Browseraid.com Agent Updating"; flow: to_server,established; uricontent:"/perl/uptodate.pl"; nocase; content:"uptodate.browseraid.com"; nocase; reference:url,www.browseraid.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Browseraid; sid: 2001304; rev:7;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; content:"Host\: www.bullseye-network.com"; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.bargainbuddy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bullseye-Network.com; sid: 2001501; rev:6;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware Download"; flow: to_server,established; uricontent:"/app/InternetFuel/AppWrap.exe"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001451; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware CHM Download"; flow: to_server,established; content:"Referer\: ms-its\:mhtml\:file\://C\:counter.mht!http\://"; nocase; content:"/counter/HELP3.CHM\:\:/help.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001452; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001452; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Bundleware Spyware cab Download"; flow: to_server,established; uricontent:"/counter/counter_v3.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Bundleware; sid: 2001458; rev:5;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE C4tdownload.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; content:".c4tdownload.com"; within:26; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_C4tdownload.com; sid: 2001531; rev:12;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE C4tdownload.com Spyware Activity"; flow: to_server,established; uricontent:"/js.php?event_type=onload&recurrence="; nocase; classtype: trojan-activity; reference:url,sarc.com/avcenter/venc/data/adware.clickdloader.b.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002088; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_C4tdownload.com; sid: 2002088; rev:5;)

#from sandnet analysis, called CASClient by Kaspersky
#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Install Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/chkmac.php?mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CASClient; sid:2006403; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/ctrv.php"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CASClient; sid:2006404; rev:3;)


#By Matt Jonkman, From spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity"; flow:established,to_server; uricontent:"/download/CnsMin"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003417; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 2"; flow:established,to_server; uricontent:"/download/CnsUp"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003418; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CNSMIN (3721.com) Spyware Activity 3"; flow:established,to_server; uricontent:"/download/autolvsw.ini?"; nocase; uricontent:"?t="; nocase; reference:url,www.spyany.com/program/article_spy_rm_CnsMin.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CNSMIN; sid:2003419; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (in.php)"; flow:established,to_server; uricontent:"/x/in.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002089; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002089; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS qck.cc Spyware Installer (web.php)"; flow:established,to_server; uricontent:"/x/tbd_web.php?wm="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002095; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002095; rev:5;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Trafcool.biz Related Installer"; flow:established,to_server; uricontent:"/progs_traff/"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002931; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Related Installer"; flow:established,to_server; uricontent:"/livesupport/image_tracker.php?"; nocase; uricontent:"l=support&"; nocase; uricontent:"x=1&"; nocase; uricontent:"deptid=1&"; nocase; uricontent:"&page=http"; nocase; uricontent:"&unique="; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002932; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CWS Spy-Sheriff.com Infeced Buy Page Request"; flow:established,to_server; uricontent:"/?advid="; nocase; content:"spy-sheriff.com"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076035; reference:url,doc.emergingthreats.net/bin/view/Main/2002933; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CWS; sid:2002933; rev:3;)
#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/download/cabs/THNALL1L/thnall1l.exe"; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087903; reference:url,doc.emergingthreats.net/bin/view/Main/2001521; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Callinghome.biz; sid: 2001521; rev:10;)

#by Deapesh Misra
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 3"; flow: to_server,established; uricontent:"/sd?";nocase; pcre:"/\/sd\?s=\d+&f=\d&C=\d/Ui"; classtype: trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com; reference:url,doc.emergingthreats.net/2009880; sid:2009880; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casalemedia Spyware Reporting URL Visited 2"; flow: to_server,established; uricontent:"/sd?";nocase; pcre:"/\/sd\?s=\d+&f=\d/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002196; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Casalemedia.com; sid:2002196; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Install"; flow: to_server,established; uricontent:"/newdownload/newsetup/"; nocase; content:"casinone"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001041; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Reporting Data"; flow: to_server,established; uricontent:"/logs.asp?MSGID=100"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001031; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Ping Hit"; flow: to_server,established; uricontent:"/Ping/Ping.txt"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001032; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Casino on Net Data Download"; flow: to_server,established; uricontent:"/sdl/casinov"; nocase; reference:url,www.888casino.net; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CasinoonNet; sid: 2001033; rev:7;)

#Matt Jonkman from spywarelp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Catchonlife.com Spyware"; flow: to_server,established; uricontent:"/nw3/r1.txt?"; content:"catchonlife"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003358; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Catchonlife.com; sid:2003358; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting Successful Install"; flow: to_server,established; uricontent:"/notify.php?pid=remupd&module=install&v="; nocase; content:"&result=1&message=Success"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001494; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Clickspring.net; sid: 2001494; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Clickspring.net Spyware Reporting"; flow: to_server,established; uricontent:"/notify.php?pid=ctxad&module=NDrvExe&v="; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082745; reference:url,doc.emergingthreats.net/bin/view/Main/2001500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Clickspring.net; sid: 2001500; rev:6;)

#by Matt Jonkman from spyware listeningpost data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Cnzz.com/Baidu Related Spyware Stat Reporting"; flow:established,to_server; uricontent:"/stat.php?id="; nocase; uricontent:"&web_id="; nocase; content:"Host\:"; nocase; content:!"Referer\: "; nocase; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_140364.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003607; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Cnzz.com; sid:2003607; rev:7;)

#Submitted by Jason Haar, modified
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic"; flow: to_server,established; uricontent:"/cc/"; content:"Host\: update.cc.cometsystems.com"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2000931; rev:7;)

#Submitted by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CometSystems Spyware"; flow: to_server,established; uricontent:"/comet/request"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001050; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001050; rev:7;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Traffic (context.xml)"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083029; reference:url,doc.emergingthreats.net/bin/view/Main/2001655; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001655; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Reporting"; flow: to_server,established; content:"Host\: log.cc.cometsystems.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001658; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2001658; rev:5;)
#from Listening Post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Update Download"; flow: to_server,established; uricontent:"/cc/5/masterconfig/"; nocase; uricontent:"/update.xml?v="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2002351; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Context Report"; flow: to_server,established; uricontent:"/context/1/up_context_1.xml?v="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2002352; rev:3;)

#from spywarelp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Comet Systems Spyware Cursor DL"; flow: to_server,established; uricontent:"/czcontent/cursor"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Comet_Cursor_Spyware; sid: 2003307; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Conduit Connect Toolbar Message Download(Many report to be benign)"; flow: to_server,established; uricontent:"/Message/"; content:"User-Agent\: EI"; nocase; pcre:"/\/Message\/\S+\/\S+\.xml/Ui"; reference:url,www.conduit.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003218; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Conduit_Connect; sid: 2003218; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install"; flow: to_server,established; uricontent:"/getexe/?wmid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003074; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com Spyware Install 2"; flow: to_server,established; uricontent:"/getdata/getdata.php?wmid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003075; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003075; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Content-loader.com (ownusa.info) Spyware Install"; flow: to_server,established; uricontent:"/fdial2.php?o="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003076; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contentloader.com; sid: 2003076; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Context Plus Spyware Install"; flow: established,to_server; uricontent:"/AproposClientInstaller.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ContextPlus.net; sid: 2001704; rev:6;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ContextPanel Reporting"; flow: to_server,established; uricontent:"/cplog/?logtype="; nocase; content:"contextpanel.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Contextpanel; sid: 2001456; rev:5;)

#by Jacob Kitchel
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CoolDeskAlert Spyware Activity"; flow:to_server,established; uricontent:"/alert/get_xml"; nocase; content:"deskbar_id={"; nocase; reference:url,cooldeskalert.com; reference:url,www.benedelman.org/spyware/images/bannerfarms-ad_w_a_r_e-globalstore-log-061006.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CoolDeskAlert; sid:2003462; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Coolsearch Spyware Install"; flow: to_server,established; content:"coolsearch.biz/united.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001479; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Coolsearch; sid: 2001479; rev:7;)

#from Lance James and Secure Science www.securescience.net -- Thanks Lance!
#too many falses...
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Blind Data Upload"; flow:to_server,established; uricontent:"/images/data.php?"; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002774; rev:3;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackListed Malicious Domain - google.vc"; flow:to_server,established; content:"Host\:"; nocase; content:"google.vc"; nocase; within:30; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002765; rev:4;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net BlackList - pcpeek"; flow:to_server,established; content:"Host\:"; nocase; content:"pcpeek-webcam-sex.com"; nocase; within:40; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002766; rev:4;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - bos.biz"; flow:to_server,established; content:"Host\:"; nocase; content:"businessopportunityseeker.biz"; nocase; within:50; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002767; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002767; rev:4;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - fesexy"; flow:to_server,established; content:"Host\:"; nocase; content:"fesexy.net"; nocase; within:20; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002768; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002768; rev:4;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Distribution - studiolacase"; flow:to_server,established; content:"Host\:"; nocase; content:"studiolacase.com"; nocase; within:30; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002769; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002769; rev:5;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msits.exe access"; flow:to_server,established; uricontent:"/msits.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002770; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002770; rev:3;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net - msys.exe access"; flow:to_server,established; uricontent:"/msys.exe"; nocase; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002771; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Corpsespyware; sid:2002771; rev:3;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Download"; flow: to_server,established; uricontent:".dl_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001453; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Configure"; flow: to_server,established; content:".da_"; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001454; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001454; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Couponage Reporting"; flow: to_server,established; content:"/?keyword="; nocase; content:"couponage.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090725; reference:url,doc.emergingthreats.net/bin/view/Main/2001455; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Couponage; sid: 2001455; rev:6;)

#From Vernon Stark
#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"MZ"; isdataat: 76,relative; content:"This program cannot be run in DOS mode"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid: 2001683; rev:8;)
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send image, Win32"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; isdataat: 76,relative; content:"This program must be run under Win32"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001684; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2001684; rev:9;)
alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type|3a| image"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001685; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2001685; rev:7;)
alert tcp $EXTERNAL_NET !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send Javascript"; flow: established,from_server; content:"|0d 0a|Content-Type|3a| application/"; content:"javascript|0d 0a|"; within:14; content:"|0d 0a 0d 0a|MZ"; within: 40; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008367; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008367; rev:4;)

#deapesh misra
alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow: established,from_server; content:"Content-Type|3a| text/plain"; content:"|0d 0a|MZ"; within: 12; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008438; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow: established,from_server; content:"Content-Type|3a| text/html|0d 0a|"; content:"|0d 0a|MZ"; within: 100; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009897; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009897; rev:2;)

#from vienna
alert tcp any !20 -> $HOME_NET !25 (msg:"ET MALWARE Possible Rar'd Malware sent when remote host claims to send an Image"; flow:established,from_server; content:"Content-Type|3a| image/"; content:"|0d 0a|Rar!"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008754; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2008754; rev:2;)

# by: Deapesh Misra
alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type\: text/css|0d 0a|"; content:"|0d 0a|MZ"; within:500; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2009909; rev:1;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .txt file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".txt"; nocase; pcre:"/\.txt$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010500; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010500; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .cfg file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".cfg"; nocase; pcre:"/\.cfg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010501; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010501; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .bin file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".bin"; nocase; pcre:"/\.bin$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010502; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Executable purporting to be .jpg file with no Referrer - Likely Malware"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".jpg"; nocase; pcre:"/\.jpg$/Ui"; flowbits:set,ET.hidden.exe; flowbits:noalert; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-072313-3630-99; reference:url,doc.emergingthreats.net/2010503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Covert_Executable_DL; sid:2010503; rev:2;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CrazyWinnings.com Activity"; flow: established,to_server; uricontent:"/scripts/protect.php?promo=promo"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_CrazyWinnings.com; sid: 2001733; rev:5;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Default-homepage-network.com Access"; flow: to_server,established; content:"wsh.RegWrite"; nocase; content:"default-homepage-network.com/start.cgi?"; nocase; reference:url,default-homepage-network.com/start.cgi?new-hkcu; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Default-Homepage-Network; sid: 2001222; rev:8;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload)"; flow: established,to_server; uricontent:"/in/payload/payload.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002816; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2002816; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup)"; flow: established,to_server; uricontent:"/in/defaults/setup.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002817; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2002817; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (setup-alt)"; flow: established,to_server; uricontent:"/in/defaults/setup-alt.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2003472; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DelFin Project Spyware (payload-alt)"; flow: established,to_server; uricontent:"/in/payload/payload-alt.nfo?"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Delfin; sid:2003473; rev:3;)

#submitted by John Stewart
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE DesktopTraffic Toolbar Spyware"; flow: to_server,established; uricontent:"cgi-bin/ezl_kws.fcgi?cat"; nocase; reference:url,research.spysweeper.com/threat_library/threat_details.php?threat=desktoptraffic.net_hijack; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001884; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_DeskTopTraffic; sid: 2001884; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install INI Download"; flow: to_server,established; uricontent:"/GetAd/tekID"; nocase; uricontent:".ini"; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Deskwizz.com; sid: 2003445; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Deskwizz.com Spyware Install Code Download"; flow: to_server,established; uricontent:"/ax/acdt-pid"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003444; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Deskwizz.com; sid: 2003444; rev:3;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Direct-web.co.kr Related Spyware Checkin"; flow:established,to_server; uricontent:".php?appname="; nocase; uricontent:"&appseq="; nocase; uricontent:"&mac="; nocase; uricontent:"&type="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007978; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Direct-web.co.kr; sid:2007978; rev:2;)

#this is for the recent rash of .co.kr fake antispyware products we're seeing.
#doctorpro.co.kr, karine.co.kr, Vaccineprogram.co.kr, Mycashbank.co.kr, etc. There will surely be more. Similar url patterns though
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Install Checkin"; flow:established,to_server; uricontent:"/install_count.html?id="; nocase; uricontent:"&MAC="; nocase; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006425; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006425; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin"; flow:established,to_server; uricontent:"/access_count.html?id="; nocase; uricontent:"&MAC="; nocase; pcre:"/MAC=0\w-\w\w-\w\w-\w\w-\w\w-\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006426; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Mac Check"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/nchkmac.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006427; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006427; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (open)"; flow:established,to_server; uricontent:"/open.php?sn="; nocase; pcre:"/sn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006428; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006428; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/chkblack.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006431; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006431; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Checkin (ret)"; flow:established,to_server; uricontent:"/ret.php?"; nocase; uricontent:"mode="; nocase; uricontent:"&cname="; nocase; uricontent:"&cn="; nocase; pcre:"/cn=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006432; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006432; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Doctorpro.co.kr Related Fake Anti-Spyware Post (api_result)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ctrl/api_result.php?"; nocase; uricontent:"mode="; nocase; uricontent:"&PartID="; nocase; uricontent:"&mac="; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2006433; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2006433; rev:4;)

#more from the same folks
#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Viruscheck.co.kr Related Fake Anti-Spyware Post (chkvs)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/chkvs.php?mac=0"; nocase; pcre:"/mac=0\w\:\w\w\:\w\w\:\w\w\:\w\w\:\w\w/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007642; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Doctorpro_and_Related; sid:2007642; rev:4;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dollarrevenue.com Spyware Code Download"; flow:established,to_server; uricontent:"/bundle/drsmartload.exe"; nocase; reference:url,dollarrevenue.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002967; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dollarrevenue.net; sid:2002967; rev:3;)

#by Scot Melnick
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TROJAN_VB Microjoin"; flow:established,to_server; uricontent:"/bundle/loader.exe"; nocase; reference:url,de.trendmicro-europe.com/consumer/vinfo/encyclopedia.php?VName=TROJ_VB.AWW; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003084; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dropper.Microjoin; sid:2003084; rev:3;)

#by Matt Jonkman, from Spyware Listening Post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Dropspam.com Spyware Reporting"; flow:established,to_server; uricontent:"/reportaddon.cgi?"; nocase; uricontent:"report.cgi?"; nocase; uricontent:"user="; nocase; uricontent:"software="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Dropspam.com; sid:2003440; rev:3;)

#matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading IeBHOs.dll"; flow: to_server,established; uricontent:"/downloads/IeBHOs.dll"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001415; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting Install"; flow: to_server,established; uricontent:"/count/count.php?&mm"; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001416; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Receiving Config"; flow: to_server,established; uricontent:"/config/?"; nocase; uricontent: "v=5"; nocase; uricontent: "n=mm2"; nocase; uricontent: "i="; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001417; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001417; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading Code"; flow: to_server,established; uricontent:"/soft/unstall.exe"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001418; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001418; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Reporting"; flow: to_server,established; uricontent:"/count/count.php?&mm2cpr"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid:2001423; rev:7;)

#from spyware listening post hits
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Spyware Reporting (check url)"; flow: to_server,established; uricontent:"/go/check?build="; nocase; uricontent:"&source="; nocase; uricontent:"&merchants="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003504; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_E2give.com; sid: 2003504; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (esyndicateinst.exe)"; flow: to_server,established; uricontent:"/files/eSyndicateInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ESyndicate; sid: 2002009; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ESyndicate Spyware Install (sepinst.exe)"; flow: to_server,established; uricontent:"/files/SEPInst.exe"; nocase; classtype: trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094058; reference:url,doc.emergingthreats.net/bin/view/Main/2002010; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ESyndicate; sid: 2002010; rev:6;)

#By Matt Jonkman, From spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Strings"; flow:established,to_server; uricontent:"/partner/rt.php?q="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002317; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting Search Category"; flow:established,to_server; uricontent:"/partner/rt.php?cat="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002318; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002318; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EZSearch Spyware Reporting 2"; flow:established,to_server; uricontent:"/partner/bom.php?e="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002319; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EZSearch; sid:2002319; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ebates Install"; flow: to_server,established; uricontent:"/ebates.exe"; reference:url,www.pestpatrol.com/PestInfo/e/ebates_moneymaker.asp; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001038; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Ebates_Moe_Money_Maker; sid: 2001038; rev:7;)

#from spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin"; flow:established,to_server; uricontent:"/iis2ebs.asp"; nocase; content:"effectivebrands.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003304; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Effectivebrands.com; sid:2003304; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Effectivebrands.com Spyware Checkin 2"; flow:established,to_server; uricontent:"/iis2ucms.asp"; nocase; content:"effectivebrands.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003360; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Effectivebrands.com; sid:2003360; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Elitemediagroup.net Spyware Config Download"; flow:established,to_server; uricontent:"/bundle.php?aff="; nocase; reference:url,elitemediagroup.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002966; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Elitemediagroup.net; sid:2002966; rev:3;)
#By Matt Jonkman, From spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting"; flow:established,to_server; uricontent:"/getresults.aspx"; nocase; uricontent:"?aff="; nocase; uricontent:"&ip="; nocase; uricontent:"&keyword="; nocase; uricontent:"&source="; nocase; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Epilot.com; sid:2003414; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Epilot.com Spyware Reporting Clicks"; flow:established,to_server; uricontent:"/click.aspx?"; nocase; uricontent:"?xp="; nocase; content:"Host\: "; nocase; content:"epilot.com"; nocase; distance:0; reference:url,www.intermute.com/spysubtract/researchcenter/ClientMan.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003416; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Epilot.com; sid:2003416; rev:3;)

#matt Jonkman from Spyware LP Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Evidencenuker.com Fake AV Updating"; flow:established,to_server; uricontent:"/products/evidencenuker/update.php?version="; nocase; reference:url,www.evidencenuker.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003568; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_EvidenceNuker.com; sid:2003568; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Install Attempt"; flow: to_server,established; uricontent:"/f1/objects/"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2000585; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Reporting"; flow: to_server,established; uricontent:"/f1/audit/"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000582; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2000582; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE F1Organizer Config Download"; flow: to_server,established; uricontent:"/F1/Cmd4F1"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_F1Organizer.com; sid: 2001221; rev:6;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Featured-Results.com Agent Reporting Data"; flow: to_server,established; uricontent:"action=any"; nocase; uricontent:"country="; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/.*perl\/fr\.pl/i"; reference:url,www.featured-results.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001293; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Featured-results; sid: 2001293; rev:9;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (clickthrough)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?clickthrough&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003579; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003579; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendtracker)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?sendtracker&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003580; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Findwhat.com Spyware (sendmedia)"; flow: to_server,established; uricontent:"/bin/findwhat.dll?sendmedia&"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Findwhat.com; sid:2003581; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FlashPoint Agent Retrieving New Code"; flow: to_server,established; uricontent:"/ftxmon.php?"; reference:url,www.flashpoint.bm; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000905; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_FlashPoint; sid: 2000905; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE FlashTrack Agent Retrieving New App Code"; flow: to_server,established; uricontent:"/apps/r.exe"; reference:url,www.flashpoint.bm; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000936; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_FlashPoint; sid: 2000936; rev:7;)

#matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (cxtpls)"; flow: established,to_server; uricontent:"/softwares/cxtpls_loader_ff.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Flingstone; sid: 2001710; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Flingstone Spyware Install (sportsinteraction)"; flow: established,to_server; uricontent:"/softwares/SportsInteraction.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winfavorites.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Flingstone; sid: 2001705; rev:8;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install)"; flow: to_server,established; uricontent:"/checkhttp.htm"; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002840; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2002840; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Install Registration)"; flow: to_server,established; uricontent:"/ping/?shortname="; nocase; content:"User-Agent\: Wise"; nocase; content:"freeze.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002841; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2002841; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware/Adware (Pulling Ads)"; flow: to_server,established; uricontent:"/ToastMessage/"; nocase; uricontent:"/Toast.asp?ysaid="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003362; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid: 2003362; rev:3;)

# by: Jeremy Conway at sudosecure.net
# ref: f6a78be315d98ba8df4e72296ac8ec0c
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W3i Related Adware/Spyware"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"shortname="; nocase; uricontent:"os="; nocase; uricontent:"v="; nocase; uricontent:"browsers="; nocase; uricontent:"readable="; nocase; classtype:trojan-activity; reference:url,www.tallemu.com/oasis2/vendor/w3i__llc/623302; reference:url,doc.emergingthreats.net/2009705; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Freeze.com; sid:2009705; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Install"; flow: to_server,established; uricontent:"/install_ie.jsp?product="; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000599; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2000599; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral"; flow: to_server,established; uricontent:"/images/smileycentral/"; nocase; content:"FunWebProducts"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001013; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts\;"; nocase; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001034; rev:16;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products MyWay Agent Traffic"; flow: to_server,established; content:"FunWebProducts-MyWay\;"; nocase; threshold: type limit, track by_src, count 10, seconds 60; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001043; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2001043; rev:10;)
#From Listening Post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002305; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002305; rev:6;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Smileychooser Spyware"; flow: to_server,established; uricontent:"/SmileyChooser.html?"; nocase; uricontent:"v="; nocase; reference:url,www.funwebproducts.com; classtype:policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid:2002310; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Cursorchooser Spyware"; flow: to_server,established; uricontent:"/CursorChooser.html?"; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002306; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Stampchooser Spyware"; flow: to_server,established; uricontent:"/StampChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002307; rev:5;)

#by Shirkdog
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products StationaryChooser Spyware"; flow: to_server,established; uricontent:"/StationeryChooser.html?"; nocase; uricontent: "v="; nocase; reference:url,www.funwebproducts.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002858; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2002858; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products SmileyCentral IEsp2 Install"; flow: to_server,established; uricontent:"/download/install_ie_sp2.jhtml?"; nocase; uricontent:"product="; nocase; uricontent:"utmCall="; nocase; uricontent:"bOrganic="; nocase; reference:url,www.myfuncards.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003151; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Fun_Web_Products; sid: 2003151; rev:3;)
#Matt Jonkman from Spyware LP Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gamehouse.com Activity"; flow: to_server,established; uricontent:"/game-quit-count.jsp?ghgamecode="; reference:url,www.gamehouse.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gamehouse.com; sid: 2003348; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Cookie"; flow: to_server,established; content:"webpdpcookie"; content:".gator.com"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000025; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Checkin"; flow: to_server,established; uricontent:"/gbsf/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000595; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator New Code Download"; flow: to_server,established; uricontent:"/gatorcme/"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000597; rev:7;)

#Matt Jonkman (depth added by bobkberg)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Claria Data Submission"; flow: to_server,established; content:"POST "; depth:5; uricontent:"gs_trickler"; nocase; classtype: policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000596; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid: 2000596; rev:12;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Agent"; flow: to_server,established; uricontent:"/gbsf/"; nocase; uricontent:"gtrg2ze"; nocase; classtype:policy-violation; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2001306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid:2001306; rev:9;)

#Matt Jonkman, from spyware LP Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator/Clarian Spyware Posting Data"; flow: to_server,established; uricontent:"/gs_med"; nocase; classtype:trojan-activity; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2003575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gator_Agent; sid:2003575; rev:4;)

#These are for common names of malcode files as seen in common places.
#Matt Jonkman
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow: established,to_server; uricontent:".scr"; nocase; pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|viewforhumor|humormenssagem|terra)\.scr/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001850; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Requests; sid: 2001850; rev:8;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow: established,to_server; uricontent:".exe"; nocase; pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embratel|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|ExtratoTim|FlashFotos|Vacina-Norton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescombr|cartaoanimado)\.exe/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002093; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Requests; sid: 2002093; rev:5;)

#Submitted by Joseph Gama
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET MALWARE IE homepage hijacking"; flow: from_server,established; content:"wsh.RegWrite"; nocase; content:"HKLM\\\\Software\\\\Microsoft\\\\Internet Explorer\\\\Main\\\\Start Page"; nocase; reference:url,www.geek.com/news/geeknews/2004Jun/gee20040610025522.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000514; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability W9x/XP"; flow: from_server,established; content:"shell\:windows"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000519; rev:8;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE shell browser vulnerability NT/2K"; flow: from_server,established; content:"shell\:winnt"; nocase; reference:url,www.packetfocus.com/shell_exploit.htm; classtype: misc-attack; reference:url,doc.emergingthreats.net/bin/view/Main/2000520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_General_Spyware_Install; sid: 2000520; rev:8;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer"; flow: to_server,established; content:"Host\: www.globalphon.com"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001656; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001656; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer Download"; flow: to_server,established; uricontent:"/dialer/internazionale_ver"; nocase; uricontent:".CAB"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001657; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001657; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (no_pop)"; flow: to_server,established; uricontent:"/no_pop.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001659; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001659; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GlobalPhon.com Dialer (add_ocx)"; flow: to_server,established; uricontent:"/add_ocx.asp?"; nocase; uricontent: "id="; nocase; content:"globalphon.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001660; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GlobalPhon; sid: 2001660; rev:6;)

#by Jeremy at sudosecure
# ref: 9ab0b5608af7c2c7fb3b631f27ee79c6
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gooochi Related Spyware Ad pull"; flow:established,to_server; content:"GET "; depth:4; uricontent:"?z="; nocase; uricontent:"|26|ch="; nocase; uricontent:"|26|dim="; nocase; uricontent:"|26|abr="; nocase; content:!"Referer\: "; nocase; reference:url,www.threatexpert.com/reports.aspx?find=ads.gooochi.biz; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Gooochi; sid:2008375; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Install"; flow: to_server,established; uricontent:"/tdtb.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GrandStreetInteractive.com; sid: 2002012; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE GrandstreetInteractive.com Update"; flow: to_server,established; uricontent:"/wupdsnff.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002013; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_GrandStreetInteractive.com; sid: 2002013; rev:4;)

#by Matt jonkman, guard-center.com crapware (if you're gonna pretend to scan a disk, you ought to at least access the disk a little)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Guard-Center.com Fake AntiVirus Post-Install Checkin"; flow:established,to_server; uricontent:".php?"; uricontent:"&advid="; uricontent:"&u="; uricontent:"&p="; content:"HTTP/1."; content:!"|0d 0a|User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007744; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Guard-Center.com; sid:2007744; rev:4;)

#by matt jonkman
#many malware packages use hex to obscure an IP
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hex Encoded IP HTTP Request - Likely Malware"; flow:established,to_server; content:"|0d 0a|Host\: 0x"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007951; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hex_Domain_Request; sid:2007951; rev:2;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Checkin"; flow:established,to_server; uricontent:"?udata="; uricontent:"mission_supgrade\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007749; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Host-domain-lookup.com; sid:2007749; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE host-domain-lookup.com spyware related Start Report"; flow:established,to_server; uricontent:"?udata="; uricontent:"program_started\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Host-domain-lookup.com; sid:2007750; rev:3;)


#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (1)"; flow: to_server,established; uricontent:"/install/startInstallprocess.asp?"; nocase; uricontent: "Defau"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000920; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000920; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (2)"; flow: to_server,established; uricontent:"/install/process/upsale/hotbar"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000921; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000921; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Install (3)"; flow: to_server,established; uricontent:"/installs/hotbar/programs/"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000922; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000922; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Reporting Information"; flow: to_server,established; content:"POST"; nocase; uricontent:"/reports/hotbar/"; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000923; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000923; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Upgrading"; flow: to_server,established; uricontent:"/updates/hotbar/"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000924; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000924; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Activity"; flow: to_server,established; uricontent:"/dynamic/hotbar/"; nocase; reference:url,www.hotbar.com; threshold: type limit, count 1, track by_src, seconds 360; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000929; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000929; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Partner Checkin"; flow: to_server,established; uricontent:"/partners/"; nocase; uricontent:"partners.xip"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000925; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2000925; rev:7;)

#from Shirkdog
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Subscription POST"; flow: to_server,established; uricontent:"/hotbar/"; nocase; uricontent:"Subscription.dll?"; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid: 2002820; rev:3;)

#Matt Jonkman from spyware lp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Agent Adopt/Zango"; flow: to_server,established; uricontent:"/adopt.jsp?"; nocase; uricontent:"l="; nocase; uricontent:"&sz="; nocase; uricontent:"cid="; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2003364; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Keywords Download"; flow: to_server,established; uricontent:"/keywords/kyfb."; nocase; uricontent:"partner_id="; nocase; reference:url,www.hotbar.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2003388; rev:3;)

#matt jonkman, new version of hotbar apparently
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Install Report"; flow:established,to_server; uricontent:"/ciconfig.aspx?did="; uricontent:"&brandid="; uricontent:"&os="; uricontent:"&pkg_ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008917; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2008917; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar.com Related Spyware Activity Report"; flow:established,to_server; uricontent:"/trackedevent.aspx?eid="; uricontent:"&brand="; uricontent:"&os="; uricontent:"&mt="; uricontent:"&pkg_ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008918; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Hotbar; sid:2008918; rev:2;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ICQ-Update.biz Reporting Install"; flow: to_server,established; uricontent:"log.php?"; nocase; uricontent: "IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ICQ-Update.biz; sid: 2001490; rev:8;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware Installer"; flow:established,to_server; uricontent:"/counter/help.chm"; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002090; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_IEHelp.net; sid:2002090; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE IEHelp.net Spyware checkin"; flow:established,to_server; uricontent:"/l/gpr.php?"; nocase; uricontent: "ID1="; nocase; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.domcom.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002096; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_IEHelp.net; sid:2002096; rev:6;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Reporting"; flow: to_server,established; uricontent:"/ist/scripts/log_downloads.php"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000927; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2000927; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (1)"; flow: to_server,established; uricontent:"/ist/bars/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000928; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2000928; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Activity (2)"; flow: to_server,established; uricontent:"/ist/softwares/"; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001395; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2001395; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ISearchTech.com XXXPornToolbar Data Submission"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?"; nocase; uricontent: "version="; nocase; reference:url,www.isearchtech.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001697; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ISearchTech.com; sid: 2001697; rev:6;)

# Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Ping"; flow: established,to_server; uricontent:"/ping.asp"; nocase; content:"incredisearch.com"; depth:300; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001793; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Incredisearch.com; sid: 2001793; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Incredisearch.com Spyware Activity"; flow: established,to_server; content:"Host\: www.incredisearch.com"; depth:300; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001794; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Incredisearch.com; sid: 2001794; rev:6;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Instafinder.com spyware"; flow: established,to_server; uricontent:"/404/update/instafi"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003376; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Instafinder.com; sid: 2003376; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Fuel.com Install"; flow: to_server,established; uricontent:"/cgi-bin/omnidirect.cgi?&debug_log="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Fuel; sid: 2002015; rev:4;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optomizer Reporting Data"; flow: to_server,established; uricontent:"/io/downloads/"; nocase; content:"/wsi8/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Optimizer; sid: 2001308; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Internet Optimizer Spyware Install"; flow: to_server,established; uricontent:"/internet-optimizer/"; nocase; uricontent:"/optimize"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.netoptimizer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001396; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Internet_Optimizer; sid: 2001396; rev:6;)

# by: Jeremy Conway at sudosecure.net
# ref: b5880918affcbb25120b431a45b99429
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:" 200 OK|0d 0a|"; nocase; depth:64; content:"|0d 0a|Content-Type|3a| qvod_update|0d 0a|"; nocase; content:"|0d 0a 0d 0a 5b|AGENTLIST|5d 0d 0a|ip0="; nocase; content:"|0d 0a|port0="; nocase; within:25; content:"|0d 0a 0d 0a|ip1="; nocase; content:"|0d 0a|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Istbar; sid:2009597; rev:2;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (1)"; flow: to_server,established; uricontent:"/install.qg?"; nocase; uricontent: "ID="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002019; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Jmnad1.com; sid: 2002019; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE jmnad1.com Spyware Install (2)"; flow: to_server,established; uricontent:"/download/mw_4s_stub.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Jmnad1.com; sid: 2002016; rev:8;)

#Submitted by Matt Jonkman
alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Probing or Announcing UDP"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000900; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2000900; rev:7;)
#alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Communicating TCP"; flow: to_server,established; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000901; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2000901; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Keep-Alive"; flow: to_server,established; dsize: 1; content:"|4b|"; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001015; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001015; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE JoltID Agent P2P via Proxy Server"; flow: to_server,established; content:"POST http\://"; nocase; content:"\:3531/.pkt"; nocase; within: 20; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001679; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001679; rev:11;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 3531 (msg:"ET MALWARE JoltID Agent Requesting File"; flow: established,to_server; content:"GIVE "; content:"User-Agent\:"; nocase; content:"PeerEnabler"; within:120; reference:url,www.joltid.com; reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001654; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_JoltID; sid: 2001654; rev:9;)

#by Jamie Blasco
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Malicious Applet Access (justexploit kit)"; flow:to_server,established; uricontent:"/sdfg.jar"; classtype: trojan-activity; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3570.0; reference:url,doc.emergingthreats.net/2010438; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Justexploit; sid:2010438; rev:3;)

#Submitted by Jason Haar
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Keenvalue Update Engine"; flow: to_server,established; content:"|0d0a|Host|3a|secure.keenvalue.com"; content:"|0d0a|Extension|3a|Remote-Passphrase"; within: 300; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Keenvalue; sid: 2000932; rev:5;)

#Matt Jonkman
# all sorts of junk at www.thespyguard.com, fake antispyware trojan
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Install"; flow:established,to_server; uricontent:"/soft/installers/spyguardf.php"; nocase; reference:url,www.thespyguard.com; reference:url,www.kliksoftware.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003201; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003201; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Update Check"; flow:established,to_server; uricontent:"/soft/update/check_update.php"; nocase; content:"Host\: www.kliksoftware.com"; nocase; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003202; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003202; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hitvirus Fake AV Install"; flow:established,to_server; uricontent:"/soft/installers/hitvirusf.php"; nocase; content:"get.hitvirus.com"; nocase; reference:url,www.kliksoftware.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003203; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Thespyguard.com Spyware Updating"; flow:established,to_server; uricontent:"/soft/update/get.php"; nocase; uricontent:"pid="; nocase; uricontent:"mail="; nocase; content:"Host\: www.kliksoftware.com"; nocase; reference:url,www.kliksoftware.com; reference:url,www.thespyguard.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003204; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kliksoftware; sid:2003204; rev:3;)

#from spyware listeningpost data, by matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware"; flow:established,to_server; uricontent:"/iesocks?peer_id="; nocase; uricontent:"ver="; nocase; classtype:trojan-activity; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kmip.net; sid:2003298; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE KMIP.net Spyware 2"; flow:established,to_server; uricontent:"/sp?c=N&i="; nocase; uricontent:"&v="; nocase; classtype:trojan-activity; reference:url,www.kmip.net; reference:url,doc.emergingthreats.net/bin/view/Main/2003526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kmip.net; sid:2003526; rev:3;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Checkin"; flow:established,to_server; uricontent:"/statics.php?maddr="; nocase; uricontent:"&ipaddr="; nocase; uricontent:"&ovt="; nocase; uricontent:"&verno="; nocase; uricontent:"&action="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008067; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kwsearchguide.com; sid:2008067; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Kwsearchguide.com Related Spyware Keepalive"; flow:established,to_server; uricontent:"/alive.php?ovt=new_link"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008069; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Kwsearchguide.com; sid:2008069; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE LocalNRD Spyware Checkin"; flow: to_server,established; uricontent:"/a/Drk.syn?"; nocase; uricontent: "adcontext"; nocase; reference:url,www.localnrd.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001340; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Localnrd; sid: 2001340; rev:9;)


#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Look2me Spyware Activity (1)"; flow: to_server,established; content:"Referer\: Look2Me"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.look2me.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001499; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Look2me; sid: 2001499; rev:7;)

#by Pedro Marinho
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware.Look2Me Activity"; flow:established,to_server; uricontent:"?B="; uricontent:"&V="; uricontent:"&M="; uricontent:"&R="; uricontent:"&ID={"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Look2me; sid:2008474; rev:2;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MSUpdater.net Spyware Checkin"; flow:established,to_server; uricontent:"/popsetarray.php?&country="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002094; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MSUpdater.net; sid:2002094; rev:4;)

#by Matt Jonkman, from sunbelt blog
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Updating"; flow:established,to_server; uricontent:"/update.php?v="; nocase; uricontent:"&d="; nocase; uricontent:"&vs="; nocase; content:"Host\: www.MalwareAlarm.com"; nocase; classtype:trojan-activity; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003611; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Malwarealarm.com; sid:2003611; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malwarealarm.com Fake AV/AntiSpyware Download"; flow:established,to_server; uricontent:"GET /madownload.php?&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; content:"Host\: download.MalwareAlarm.com"; nocase; reference:url,sunbeltblog.blogspot.com/2007/04/another-fake-security-scam-site_9466.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003612; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Malwarealarm.com; sid:2003612; rev:4;)

#submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Configuration Access"; flow: to_server,established; uricontent:"/oss/remoteconfig.asp"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000902; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2000902; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Access"; flow: to_server,established; uricontent:"proxyhttp|0b|marketscore|03|com"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001359; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001359; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET MALWARE MarketScore.com Spyware SSL Access"; flow: to_server,established; content:"www.marketscore.com"; content:"InstantSSL1"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001563; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001563; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic"; flow: to_server,established; content:"X-OSSProxy\: OSSProxy"; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001564; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001564; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore Spyware Uploading Data"; flow: to_server,established; uricontent:"/scripts/contentidpost.dll"; nocase; content:"OSS-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003253; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2003253; rev:3;)

#Info from sgtocanada
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Proxied Traffic (mitmproxy agent)"; flow: to_server,established; content:"Proxy-agent\: ManInTheMiddle-Proxy"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001586; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001586; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Upgrading"; flow: to_server,established; uricontent:"/oss/upgrchk_2a.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001587; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (1)"; flow: to_server,established; uricontent:"/oss/dittorules.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001588; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MarketScore.com Spyware Activity (2)"; flow: to_server,established; uricontent:"/oss/routerrules2.asp"; nocase; reference:url,www.marketscore.com; reference:url,www.spysweeper.com/remove-marketscore.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MarketScore; sid: 2001589; rev:6;)

#Sigs by Matt Jonkman from the excellent analysis by Tom Liston at http://isc.sans.org/diary.php?date=2004-11-04
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Mastermind Related Reporting"; flow: to_server,established; uricontent:"/bundle.php?"; nocase; uricontent: "aff="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001409; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET MALWARE Mastermind Related Reporting 8081"; flow: to_server,established; content:"/a?l=PeAyF1sgrZYw&i="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001410; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mastermind Related Downloading mm20.ocx"; flow: to_server,established; uricontent:"/soft/mm20.ocx"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001411; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001411; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medis-Motor Related Downloading ast_4_mm.exe"; flow: to_server,established; uricontent:"/dist/ast_4_mm.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001413; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001413; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media-Motor Related Downloading MediaMotor25.exe"; flow: to_server,established; uricontent:"/soft/MediaMotor25.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001414; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001414; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading cpr_mm2.exe"; flow: to_server,established; uricontent:"/tt/cpr_mm2.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001419; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001419; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading ab1.exe"; flow: to_server,established; uricontent:"/tt/ab1.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001420; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Downloading tvm_bundle.exe"; flow: to_server,established; uricontent:"/tt/tvm_bundle.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001421; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Avres.net Reporting Data"; flow: to_server,established; uricontent:"/log3.php?"; nocase; uricontent:"c={"; nocase; uricontent:"what="; nocase; uricontent:"avatar="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mastermind.com; sid: 2001422; rev:8;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8080] (msg:"ET MALWARE Matcash Trojan Related Spyware Code Download"; flow:established,to_server; content:"|0d 0a|User-Agent\: Windows 5.1 (2600)\; DMCP"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008759; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Matcash.com; sid:2008759; rev:4;)

#Matt Jonkman from spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trinityacquisitions.com and Maximumexperience.com Spyware Activity"; flow:to_server,established; uricontent:"/upd/check?version="; nocase; uricontent:"&localeId="; nocase; uricontent:"&affid="; nocase; uricontent:"&updatevalue="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003344; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MaxExp_TrinityAcquisitions.com; sid: 2003344; rev:3;)

#Mark Tombaugh
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Media Pass ActiveX Install"; flow: to_server,established; uricontent:"/MediaPassK.exe"; nocase; reference:url,www.benedelman.org/news/010205-1.html; reference:url,static.windupdates.com/Release/v19/Info.txt; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001783; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaPass; sid: 2001783; rev:5;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Download"; flow: to_server,established; uricontent:"MediaTicketsInstaller.cab"; content:"Host\: www.mt-download.com"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001448; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaTickets; sid: 2001448; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MediaTickets Spyware Install"; flow: to_server,established; uricontent:"/mtrslib2.js"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.winad.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001481; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MediaTickets; sid: 2001481; rev:6;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Config"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; uricontent:"pid="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001503; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001503; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (download.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/download.cgi?"; nocase; uricontent:"sn="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001508; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001508; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Reporting (register.cgi)"; flow: to_server,established; uricontent:"/dw/cgi/register.cgi?"; nocase; uricontent:"v="; nocase; content:"Host\:config.medialoads.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001509; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001509; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Medialoads.com Spyware Identifying Country of Origin"; flow: to_server,established; uricontent:"/dw/cgi/country.cgi"; nocase; content:"User-Agent\:"; nocase; content:"NSISDL"; within:120; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Medialoads.com; sid: 2001507; rev:9;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Metarewards Spyware Activity"; flow: to_server,established; content:"Host\: www.metareward.com"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001666; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Metarward.com; sid: 2001666; rev:4;)
#From listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Metarewards Disclaimer Access"; flow: to_server,established; uricontent:"/www.metareward.com/mailimg/disclaimer/"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Metarward.com; sid: 2002309; rev:4;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (dlhelper)"; flow: established,to_server; uricontent:"/dlhelper.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001641; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001641; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Installation (2)"; flow: established,to_server; uricontent:"/DownloadHNew.asp?"; nocase; uricontent:"btag="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001643; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001643; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Reporting Installation"; flow: established,to_server; uricontent:"/dlhelper/downloadlogger2.asp?"; nocase; uricontent:"time="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001644; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001644; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Microgaming.com Spyware Casino App Install"; flow: established,to_server; uricontent:"/viper/thunderluck/00"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001645; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Microgaming.com; sid: 2001645; rev:5;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (1)"; flow: to_server,established; uricontent:"/mindset5/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000583; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000583; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Install (2)"; flow: to_server,established; uricontent:"/mindset/data"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000584; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000584; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mindset Interactive Ad Retrieval"; flow: to_server,established; uricontent:"/mindset5"; nocase; reference:url,www.mindsetinteractive.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mindsetinteractive; sid: 2000594; rev:6;)

#by Matt Jonkman, from spyware LP Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Mirarsearch.com Spyware Posting Data"; flow:established,to_server; uricontent:"/v70match.cgi?"; nocase; uricontent:"key1="; nocase; uricontent:"&key2="; nocase; uricontent:"&match="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mirarsearch.com; sid:2003577; rev:3;)

#by Pedro Marinho
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware-Mirar Reporting (BAR)"; flow:to_server,established; uricontent:"download.cgi?BUILDNAME="; nocase; uricontent:"&AFFILIATE="; uricontent:"&ID="; uricontent:"&ERROR=0"; content:"|0d 0a|User-Agent\: BAR"; classtype:policy-violation; reference:url,doc.emergingthreats.net/2009234; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Mirarsearch.com; sid:2009234; rev:2;)

#Matt Jonkman 2/22/05
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My-Stats.com Spyware Checkin"; flow: established,to_server; uricontent:"/ad-partner/SelectConfirm.php?"; nocase; uricontent:"dummy="; nocase; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001747; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My-Stats.com; sid: 2001747; rev:7;)


#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; uricontent:"/images/mysearchbar/highlight"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MyGlobalSearch; sid:2003351; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; uricontent:"/images/mysearchbar/customize"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MyGlobalSearch; sid:2003352; rev:3;)

#by Akash Mahajan
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sears.com/Kmart.com My SHC Community spyware download"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/CSetup_xp.cab"; classtype:trojan-activity; reference:url,community.ca.com/blogs/securityadvisor/archive/2007/12/20/sears-com-join-the-community-get-spyware.aspx; reference:url,www.benedelman.org/news/010108-1.html; reference:url,doc.emergingthreats.net/bin/view/Main/2007996; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySHC; sid:2007996; rev:2;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySearchNow.com Spyware"; flow: to_server,established; uricontent:"exe/dns.html"; nocase; content:"User-Agent\: TPSystem"; nocase; reference:url,www.mysearchnow.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySearchnow.com; sid: 2003221; rev:3;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch.com Spyware Install"; flow:established,to_server; uricontent:".php?aff=mysidesearch&act=install"; content:"|0d 0a|User-Agent\: NSISDL/1.2 (Mozilla)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySideSearch.com; sid:2008915; rev:2;)

# by: Jeremy Conway at sudosecure.net
# ref: 82bd65bc1c0b2b6d2bc599d1295a3579
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MySideSearch Browser Optimizer"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: NSISDL/1.2 (Mozilla)|0d 0a|"; nocase; uricontent:".php?aff="; nocase; uricontent:"&act="; nocase; classtype:trojan-activity; reference:url,www.spywareremove.com/removeMySideSearch.html; reference:url,www.threatexpert.com/threats/adware-win32-mysidesearch.html; reference:url,www.pctools.com/mrc/infections/id/Adware.MySideSearch/; reference:url,doc.emergingthreats.net/2009524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_MySideSearch.com; sid:2009524; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Bar Install"; flow: to_server,established; uricontent:"/mysetp.exe"; nocase; reference:url,www.2-spyware.com/parasite-my-search-bar.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Search_Bar; sid: 2001040; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE My Search Spyware Config Download"; flow: to_server,established; uricontent:"/ms"; nocase; uricontent:"cfg.jsp?"; uricontent:"v="; nocase; nocase; pcre:"/\/ms\d\d\dcfg\.jsp/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002839; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Search_Bar; sid:2002839; rev:4;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Configuration"; flow: to_server,established; uricontent:"/speedbar/mySpeedbarCfg"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000600; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid: 2000600; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Traffic (bar config download)"; flow: to_server,established; uricontent:"/barcfg.jsp?"; nocase; content:"MyWebSearchWB"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002836; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid: 2002836; rev:6;)

#New, from spyware listening post hits
# Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Receiving Config 2"; flow: to_server,established; uricontent:"/mySpeedbarCfg2.jsp"; nocase; content:"MyWebSearch"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003222; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWebSearch Toolbar Posting Activity Report"; flow:to_server,established; uricontent:"/jsp/cfg_redir2.jsp?id="; nocase; uricontent:"url=http"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003617; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003617; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyWay Spyware Posting Activity Report - Dell Related"; flow:to_server,established; uricontent:"/script/bzDellHpData.js?"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_My_Web_Toolbar; sid:2003621; rev:5;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware updating"; flow:established,to_server; uricontent:"/download/NewDotNet/"; nocase; uricontent:"/upgrade.cab?"; nocase; uricontent:"upg="; nocase; uricontent:"ec="; nocase; reference:url,www.new.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_New.net; sid:2003240; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE New.net Spyware Checkin"; flow:established,to_server; uricontent:"/?version="; nocase; uricontent:"discard_tag="; nocase; uricontent:"source="; nocase; uricontent:"ptr="; nocase; uricontent:"br=NewDotNet"; nocase; uricontent:"ec="; nocase; reference:url,www.new.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_New.net; sid:2003241; rev:4;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oenji.com Install"; flow: to_server,established; uricontent:"/Bundled/OemjiInstall"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001538; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid: 2001538; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".oemji.com"; within: 25; distance: 1; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001539; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid: 2001539; rev:8;)

#by shirkdog from spyware lp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Oemji.com Spyware Settings Update"; flow:established,to_server; uricontent:"/OemjiSearchPlus.ini"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094187; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Oemji.com; sid:2003467; rev:4;)

#by Reg Quinton
alert tcp $HOME_NET !21:902 -> any any (msg:"ET MALWARE Suspicious 220 Banner on Local Port"; flow:from_server,established; content:"220"; offset:0; depth:4; pcre:"/220[- ]/"; classtype:non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2003055; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Off_Port_FTP; sid:2003055; rev:5;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OfferOptimizer.com Spyware"; flow: to_server,established; uricontent:"/ctx/keyword_context.php?"; nocase; uricontent:"urlContext=http"; nocase; reference:url,www.offeroptimizer.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001341; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Offer_Optimizer; sid: 2001341; rev:9;)

#by Will Metcalf
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OneStepSearch Host Activity"; flow: to_server,established; content:"GET "; depth:4; content:"|0d0a|host\: upgrade.onestepsearch.net"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007855; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Onestepsearch; sid:2007855; rev:2;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE OutBlaze.com Spyware Activity"; flow: to_server,established; uricontent:"/scripts/adpopper/webservice.main"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002044; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outblaze.com; sid: 2002044; rev:4;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Install"; flow: to_server,established; uricontent:"/ctxad-"; nocase; pcre:"/ctxad-\d+\.sig/Ui"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001495; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001495; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Advertising Campaign Download"; flow: to_server,established; uricontent:"/campaigns"; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001496; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001496; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Activity"; flow: to_server,established; content:"Host\: campaigns.outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2001497; rev:5;)

#Matt jonkman, from spywarelp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Outerinfo.com Spyware Checkin"; flow: to_server,established; uricontent:"/notify.php?"; nocase; uricontent:"pid="; nocase; uricontent:"&module="; nocase; uricontent:"&v="; nocase; uricontent:"&result="; nocase; uricontent:"&message="; nocase; content:"outerinfo.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003426; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Outerinfo.com; sid: 2003426; rev:3;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Bundle Install"; flow: to_server,established; content:"Host\: download.overpro.com"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/WildApp\.cab/i"; reference:url,www.wildarcade.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001444; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2001444; rev:9;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Games"; flow: to_server,established; uricontent:"/blocks/blasterblocks"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001459; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2001459; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Overpro Spyware Install Report"; flow: to_server,established; uricontent:"/processInstall.aspx"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.overpro.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Overpro; sid: 2002017; rev:6;)

#by jeremy at sudosecure
# ref: 48ba8bfecf840fc9a5f8ff2e225452a7
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE EMO/PCPrivacyCleaner Rougue Secuirty App GET Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"action="; nocase; uricontent:"addt="; nocase; uricontent:"pc|5F|id="; nocase; uricontent:"abbr="; nocase; reference:url,www.spywaresignatures.com/details/pcprivacycleaner.pdf; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008456; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PCPrivacycleaner; sid:2008456; rev:3;)

#Matt Jonkman from Spyware Listening Post Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 1"; flow:to_server,established; uricontent:"/mcp/mcp.cgi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002083; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pacimedia; sid:2002083; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Pacimedia Spyware 2"; flow: to_server,established; uricontent:"/xml/check.php?"; nocase; uricontent:"u="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002194; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pacimedia; sid: 2002194; rev:6;)

#lovely fake av package at pcdoc.co.kr
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (PCDoc11)"; flow:established,to_server; content:"|0d 0a|User-Agent\: PCDoc"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007786; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pcdoc.co.kr; sid:2007786; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCDoc.co.kr Fake AV User-Agent (mypcdoctor)"; flow:established,to_server; content:"|0d 0a|User-Agent\: mypcdoc"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007804; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pcdoc.co.kr; sid:2007804; rev:2;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PeopleOnPage Install"; flow: to_server,established; uricontent:"/install/pop"; nocase; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001445; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PeopleonPage; sid: 2001445; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PeopleOnPage Ping"; flow: to_server,established; content:"Host\: srv.peopleonpage.com"; nocase; pcre:"/(POST |POST (http|https)\:\/\/[-0-9a-z.]*)\/s\/l\/firstping/i"; reference:url,www.peopleonpage.com; reference:url,www.safer-networking.org/en/threats/602.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001446; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PeopleonPage; sid: 2001446; rev:8;)

# by: Jeremy Conway at sudosecure.net
# ref: a9036ae5d9bb8e3c53d5e0126d448d1d
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware PlusDream - GET Config Download/Update"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?kind="; nocase; uricontent:"&pid="; nocase; uricontent:"&ver="; nocase; uricontent:"&addresses="; nocase; uricontent:"&hdmacid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009712; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_PlusDream; sid:2009712; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Popuptraffic.com Bot Reporting"; flow: to_server,established; uricontent:"/scripts/click.php?"; nocase; uricontent:"hid="; reference:url,popuptraffic.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Popuptraffic.com_Reporting; sid: 2000577; rev:8;)

#By Matt Jonkman from spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Install"; flow: to_server,established; uricontent:"/privacyprotectorfreesetup.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid: 2003547; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Privacyprotector.com Fake Anti-Spyware Checkin"; flow: to_server,established; uricontent:"/?action="; nocase; uricontent:"&type="; nocase; uricontent:"&pc_id="; nocase; uricontent:"&abbr="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid: 2003548; rev:3;)

#storageguardsoft.com also related, same installer, similar hosts
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AVSystemcare.com.com Fake Anti-Virus Product"; flow:established,to_server; uricontent:"?proto="; nocase; uricontent:"&rc="; nocase; uricontent:"&v="; nocase; uricontent:"&abbr="; nocase; uricontent:"&platform="; nocase; uricontent:"&os_version="; nocase; uricontent:"&ac="; nocase; uricontent:"&appid="; nocase; uricontent:"&em="; nocase; uricontent:"&pcid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Privacyprotector.com; sid:2007664; rev:3;)

# Submitted by John Stewart, 2/23/2005
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET MALWARE Pynix.dll BHO Activity"; flow: established,to_server; uricontent:"ABETTERINTERNET.EXE"; nocase; uricontent:"bho=PYNIX.DLL"; nocase; reference:url,www.pynix.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001748; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Pynix; sid: 2001748; rev:5;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST "; depth:5; content:"|0d 0a 0d 0a|REGISTER|7c|"; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d+/"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rabio; sid:2007820; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio.com Related Adware/Spyware User-Agent (HTTP_CONNECT_2)"; flow:established,to_server; content:"|0d 0a|User-Agent\: HTTP_Connect_"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007821; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rabio; sid:2007821; rev:2;)

#Updated by Jonathan Miner
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE rcprograms"; flow: to_server,established; content:"update.rcprograms.com"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.rcprograms.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rcprograms; sid: 2000024; rev:7;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rdxrp.com Traffic"; flow: to_server,established; uricontent:"/rdxr020304.dat"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001311; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rdxrp.com; sid: 2001311; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rdxrp.com Traffic (Generic)"; flow: to_server,established; uricontent:"/rdxr"; nocase; uricontent:".dat"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001312; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Rdxrp.com; sid: 2001312; rev:5;)

#they run a lot of casino online games
#matt jonkman, re f5e2b1706a3e0e6d34e70677a6e952a6
alert tcp $HOME_NET any -> $EXTERNAL_NET 20000 (msg:"ET MALWARE Realtimegaming.com Online Casino Spyware Gaming Checkin"; flow:established,to_server; dsize:<30; content:"|43 01 00|"; depth:4; content:"Casino"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008402; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Realtimegaming.com; sid:2008402; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Access"; flow: to_server,established; uricontent:"/softsell/visitor.cgi?"; nocase; uricontent:"affiliate="; nocase; reference:url,www.regnow.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001223; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Regnow.com; sid: 2001223; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Regnow.com Gamehouse.com Access"; flow: to_server,established; uricontent:"/affiliates/template.jsp?"; nocase; uricontent:"AID="; nocase; reference:url,www.gamehouse.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001224; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Regnow.com; sid: 2001224; rev:7;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Salongas Infection"; flow: to_server,established; uricontent:"/sp.htm?id="; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000601; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Salongas; sid: 2000601; rev:5;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Relevancy Spyware"; flow: established,to_server; uricontent:"/SearchRelevancy/SearchRelevancy.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.relevancy.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SearchRelevancy; sid: 2001696; rev:8;)

#By Matt Jonkman from Listening Post Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 1"; flow: to_server,established; uricontent:"/rd/Clk.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002296; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 2"; flow: to_server,established; uricontent:"/rd/feed/TextFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002297; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 3"; flow: to_server,established; uricontent:"/rd/feed/XMLFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002298; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002298; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 4"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeed.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002299; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002299; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 5"; flow: to_server,established; uricontent:"/rd/feed/JavaScriptFeedSE.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002300; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002300; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 6"; flow: to_server,established; uricontent:"/rd/SearchResults.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002301; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002301; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 7"; flow: to_server,established; uricontent:"/rd/jsp/BidRank/index.jsp"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002302; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002302; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchfeed.com Spyware 8"; flow: to_server,established; uricontent:"/SFToolBar.html"; reference:url,www.searchfeed.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002303; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchfeed.com; sid: 2002303; rev:4;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (toolbar)"; flow: to_server,established; uricontent:"/dkprogs/toolbar.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001473; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (prog)"; flow: to_server,established; uricontent:"/dkprogs/dktibs.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001474; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001474; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Receiving Commands"; flow: to_server,established; uricontent:"/xpsystem/commands.ini"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001475; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001475; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (systime)"; flow: to_server,established; uricontent:"/dkprogs/systime.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001480; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001480; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (mstask)"; flow: to_server,established; uricontent:"/dkprogs/mstasks3.txt"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001483; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmeup Spyware Install (d.exe)"; flow: to_server,established; uricontent:"/x30/d.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001484; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmeup; sid: 2001484; rev:7;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (v3cab)"; flow: to_server,established; uricontent:"/cab/v3cab.cab"; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001540; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001540; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host\:"; nocase; depth: 400; content:".searchmiracle.com"; nocase; within: 35; distance: 1; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001532; rev:10;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Searchmiracle.com Spyware Installer silent.exe Download"; flow: from_server,established; content:"|20 28 43 29 20 32 30 30 31 2c 20 32 30 30 33 20 52 61 64 69 6d 20 50 69 63 68 61|"; reference:url,www.searchmiracle.com/silent.exe; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001533; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (silent_install)"; flow: to_server,established; uricontent:"/silent_install.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001534; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (protector.exe)"; flow: to_server,established; uricontent:"/protector.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001535; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001535; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install (install)"; flow: to_server,established; uricontent:"/sideb.exe"; content:"Host\: install.searchmiracle.com"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001744; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2001744; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Spyware Install - silent.exe"; flow: to_server,established; uricontent:"/silent.exe"; nocase; reference:url,www.searchmiracle.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002091; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchmiracle.com; sid: 2002091; rev:5;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (content)"; flow: established,to_server; content:"Host\: content.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001650; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchscout; sid: 2001650; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Search Scout Related Spyware (results)"; flow: established,to_server; content:"Host\: results.searchscout.com"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.searchscout.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001653; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Searchscout; sid: 2001653; rev:6;)

#by Matt Jonkman, from spyware LP Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Security-updater.com Spyware Posting Data"; flow:established,to_server; uricontent:"/SA/receive_data.php3?tcpc="; content:"security-updater.com"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003576; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Security-updater.com; sid:2003576; rev:3;)
#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Seekmo.com Spyware Data Upload"; flow:established,to_server; uricontent:".aspx?"; uricontent:"eid="; uricontent:"&pkg_ver="; uricontent:"&ver="; uricontent:"&brand="; uricontent:"&mt="; uricontent:"&partid="; uricontent:"&altdid="; uricontent:"&os="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Seekmo.com; sid:2008356; rev:2;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Servicepack.kr Fake Patch Software Checkin"; flow:established,to_server; uricontent:".php?kind="; nocase; uricontent:"&ver="; nocase; uricontent:"&ver2="; nocase; uricontent:"&ver3="; nocase; uricontent:"&pid="; nocase; uricontent:"&supportid="; nocase; uricontent:"&uniq="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Servicepack.kr; sid:2008016; rev:2;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sexmaniack Install Tracking"; flow: to_server,established; uricontent:"/counted.php?ref="; nocase; content:"Host\: counter.sexmaniack.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001460; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sexmaniak; sid: 2001460; rev:7;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop At Home Select.com Install Attempt"; flow: to_server,established; uricontent:"/mindset/bunsetup.cab"; nocase; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000580; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2000580; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Shop At Home Select.com Install Download"; flow: from_server,established; content:"|ab 3b d4 97 d4 a7 b4 1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 67 df 65 41|"; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www.shopathomeselect.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000581; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2000581; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Heartbeat"; flow: established,to_server; uricontent:"/s.dll?MfcISAPICommand=heartbeat&param="; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2001708; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shop at Home Select Spyware Install"; flow: established,to_server; uricontent:"/arcadecash/setup"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sahagent.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002037; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopAtHomeSelect; sid: 2002037; rev:5;)

#matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopnav Spyware Install"; flow: to_server,established; uricontent:"/toolbarv3.cgi?UID="; nocase; uricontent:"&version="; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.shopnav.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ShopNav; sid: 2002000; rev:5;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Shopcenter.co.kr Spyware Install Report"; flow:established,to_server; uricontent:"/RewardInstall.php?mac=0"; uricontent:"&hdd="; uricontent:"&ver="; uricontent:"&ie="; uricontent:"&win="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008370; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Shopcenter.co.kr; sid:2008370; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Install"; flow: to_server,established; uricontent:"/servlet/sbinstservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001016; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2001016; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data"; flow: to_server,established; uricontent:"/servlet/sblogservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001017; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2001017; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SideStep Bar Reporting Data (sbstart)"; flow: to_server,established; uricontent:"/servlet/SbStartservlet"; nocase; reference:url,www.sidestep.com; reference:url,www.spyany.com/program/article_spw_rm_SideStep.html; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002821; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SideStep_Bar; sid: 2002821; rev:5;)

#by RPG
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Simbar Spyware User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"SIMBAR="; within:150; pcre:"/User-Agent\:[^\n]+\;\sSIMBAR=/"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=AdWare.Win32.Simbar.a&threatid=427805; reference:url,vil.nai.com/vil/content/v_131206.htm; threshold:type limit, count 1, seconds 60, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2009005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Simbar; sid:2009005; rev:4;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install rh.exe"; flow: to_server,established; uricontent:"/install/RH/rh.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001505; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001505; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Install"; flow: to_server,established; uricontent:"/install/SE/sed.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001516; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Smartpops.com Spyware Update"; flow: to_server,established; uricontent:"/data/spv15.dat?v="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.smartpops.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001513; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Smartpops.com; sid: 2001513; rev:7;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Snoopstick.net Related Spyware User-Agent (SnoopStick Updater)"; flow:established,to_server; content:"|0d 0a|User-Agent\: SnoopStick "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007956; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Snoopstick; sid:2007956; rev:2;)

#by William Salusky of the ISC (www.incidents.org)
# Details and updates available here http://handlers.sans.org/wsalusky/rants/
#Cleanup and updates by John Pritchard

# If you have any socks proxies being abused in your environment... The following four rules are MONEY.
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003254; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003254; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 19|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003255; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003255; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 25 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003256; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 25 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 19|"; depth:4; threshold:type both, track by_src, count 2, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003257; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003257; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 DNS Inbound Request (Windows Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003258; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 DNS Inbound Request (Linux Source)"; dsize:10<>40; flow:established,to_server; content:"|05 01 00 03|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003259; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003259; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003260; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003260; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 HTTP Proxy Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|00 50|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003261; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003262; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003262; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 HTTP Proxy Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 00 50|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003263; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 443 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003266; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 443 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|01 bb|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003267; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 443 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003268; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 443 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 01 bb|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003269; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003270; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|14 46|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003271; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5190 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003272; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5190 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 14 46|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003273; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 1863 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003274; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 1863 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|07 47|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003275; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 1863 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003276; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003276; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 1863 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 07 47|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003277; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003277; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5050 Inbound Request (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003278; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003278; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Port 5050 Inbound Request (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 01 00 01|"; depth:4; content:"|13 ba|"; offset:8; depth:2; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003279; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003279; rev:5;)
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5050 Inbound Request (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003280; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003280; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Port 5050 Inbound Request (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 01 13 ba|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003281; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003281; rev:5;)


# Another case of rules that fire according to RFC standards, but I haven't really witnessed this type of traffic to confirm.
alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 IPv6 Inbound Connect Request (Windows Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003284; rev:5;)
alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 IPv6 Inbound Connect Request (Linux Source)"; dsize:10<>23; flow:established,to_server; content:"|05 01 00 04|"; depth:4; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003285; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003285; rev:5;)

# Another case of rules that fire according to RFC standards, but I haven't really witnessed this type of traffic to confirm.
alert udp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Windows Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003286; rev:6;)
alert udp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 UDP Proxy Inbound Connect Request (Linux Source)"; content:"|00 00|"; depth:2; content:"|01|"; offset:3; depth:1; threshold:type both, track by_src, count 1, seconds 900; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003287; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003287; rev:5;)

# I keep these mostly commented, while they are correct according to RFC for BIND actions, in practice I've found only FP's which I still need to dig through and see what's really going on there.
#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Bind Inbound (Windows Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003288; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003288; rev:5;)
#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv4 Bind Inbound (Linux Source)"; dsize:9<>18; flow:established,to_server; content:"|04 02|"; depth:2; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003289; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003289; rev:5;)
#alert tcp $EXTERNAL_NET 32768:61000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Bind Inbound (Linux Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003290; rev:5;)
#alert tcp $EXTERNAL_NET 1024:5000 -> $HOME_NET 1024:65535 (msg:"ET MALWARE SOCKSv5 Bind Inbound (Windows Source)"; dsize:10; flow:established,to_server; content:"|05 02 00 01|"; depth:4; reference:url,handlers.sans.org/wsalusky/rants/; reference:url,en.wikipedia.org/wiki/SOCKS; reference:url,ss5.sourceforge.net/socks4.protocol.txt; reference:url,ss5.sourceforge.net/socks4A.protocol.txt; reference:url,www.ietf.org/rfc/rfc1928.txt; reference:url,www.ietf.org/rfc/rfc1929.txt; reference:url,www.ietf.org/rfc/rfc1961.txt; reference:url,www.ietf.org/rfc/rfc3089.txt; classtype:protocol-command-decode; reference:url,doc.emergingthreats.net/bin/view/Main/2003291; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Socks_Proxy; sid:2003291; rev:5;)


#matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install"; flow:established,to_server; uricontent:"/setup/setup.asp?id="; nocase; uricontent:"&pcid="; nocase; uricontent:"&ver="; nocase; uricontent:"&taday="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008135; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Soft-show.cn; sid:2008135; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Soft-Show.cn Related Fake AV Install Ad Pull"; flow:established,to_server; uricontent:"/setup/adClick.asp?Id="; nocase; uricontent:"&WebId="; nocase; uricontent:"&sDate="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008148; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Soft-show.cn; sid:2008148; rev:2;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softcashier.com Spyware Install Checkin"; flow:established,to_server; uricontent:".php?wmid="; nocase; uricontent:"&subid="; nocase; uricontent:"&pid="; nocase; uricontent:"&lid="; nocase; uricontent:"&hs="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007861; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softcashier; sid:2007861; rev:2;)

#another fake antispyware package, by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softspydelete.com Fake Anti-Spyware Checkin"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"a1="; nocase; uricontent:"&a2="; nocase; uricontent:"&a3="; nocase; uricontent:"Windows%20version%20is"; nocase; uricontent:"&a4=Build"; nocase; uricontent:"&a5="; nocase; uricontent:"&table="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007842; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softspydelete.com; sid:2007842; rev:2;)

#by matt Jonkman, from the sandnet
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Softwarereferral.com Adware Checkin"; flow:established,to_server; uricontent:"wmid="; nocase; uricontent:"&mid="; nocase; uricontent:"&lid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Softwarereferral.com; sid:2007696; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET MALWARE Likely Spambot Web-based Control Traffic"; flow: to_server,established; content:"User-Agent\: Godzilla"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001711; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid: 2001711; rev:6;)

# The following rule assists in the identification of spam when SMTP 220
# responses are seen egressing your network from unusual src ports.
# You may want to consider tagging a number of following packets.
#alert tcp $HOME_NET !21:587 -> any any (msg:"ET MALWARE Spambot Suspicious 220 Banner on Local Port"; flow: established; content:"220 "; offset: 0; depth: 4; tag: session, 20, packets; classtype: non-standard-protocol; reference:url,doc.emergingthreats.net/bin/view/Main/2001815; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid: 2001815; rev:8;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; uricontent:"/devrandom/"; nocase; content:"dev"; nocase; content:!"User-Agent\:"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002988; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Pulling IP List to Spam"; flow:established,to_server; uricontent:"/devrandom/access.php"; nocase; content:"User-Agent\: Mozilla/4.0  (compatible)"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002990; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002990; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe url"; flow:established,to_server; uricontent:"404.txt"; nocase; content:"404"; content:!"User-Agent\:"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002989; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe"; flow:established,to_server; uricontent:"/traff/ppiigg.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002991; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spambots; sid:2002991; rev:4;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Specificclick.net Spyware Activity"; flow: to_server,established; uricontent:"/adopt.sm?"; nocase; uricontent:"l="; nocase; uricontent:"&sz="; nocase; uricontent:"&redir="; nocase; uricontent:"&nmv="; nocase; uricontent:"&nrsz="; nocase; uricontent:"&r="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Specificclick.net; sid: 2003450; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent"; flow: to_server,established; uricontent:"/io/downloads"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Speedera; sid: 2001320; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Speedera Agent (Specific)"; flow: to_server,established; uricontent:"/io/downloads/3/wsem302.dl"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001321; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Speedera; sid: 2001321; rev:5;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Updating"; flow:to_server,established; uricontent:"/updates1/SKVersion.ini"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spy-not.com; sid:2003377; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spy-Not.com Spyware Pulling Fake Sigs"; flow:to_server,established; uricontent:"/updates1/SKSignatures.zip"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003375; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spy-not.com; sid:2003375; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySherriff Spyware Activity"; flow: to_server,established; uricontent:"/progs_exe/jbsrak/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002984; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid: 2002984; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Jupitersatellites.biz Spyware Download"; flow: to_server,established; uricontent:"/traff/ppiigg.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002987; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid: 2002987; rev:4;)

#by Mr Magic Pants
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpySheriff Intial Phone Home"; flow:established,to_server; uricontent:"trial.php?rest="; nocase; uricontent:"&ver="; nocase; uricontent:"&a="; nocase; content:"trial.php"; nocase; content:!"User-Agent\: "; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_135033.htm; reference:url,doc.emergingthreats.net/bin/view/Main/2003251; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpySherriff; sid:2003251; rev:4;)

#by Matt Jonkman, from sandnet analysis
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpyShredder Fake Anti-Spyware Install Download"; flow:established,to_server; uricontent:"&advid="; nocase; uricontent:"&u="; nocase; uricontent:"&p="; nocase; uricontent:"?=______"; uricontent:"&vs="; nocase; uricontent:"&YZYYYYYYYYYYYYYYYYYYYYYYYYYY"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007593; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SpyShredder; sid:2007593; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Update"; flow: to_server,established; uricontent:"/updates/database/dbver.php"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002804; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002804; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware DB Version Check"; flow: to_server,established; uricontent:"/updates/database/dbver.dat"; nocase; content:"spywareaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002805; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyaxe Spyware Checkin"; flow: to_server,established; uricontent:"/download.php?sid="; nocase; content:"spyaxe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyaxe; sid: 2002806; rev:4;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Activity"; flow: to_server,established; uricontent:"/install.php?id="; nocase; content:"Host\: spygalaxy.ws"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spygalaxy.ws; sid: 2001489; rev:6;)

#from sandnet data
#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spylog.ru Related Spyware Checkin"; flow:established,to_server; uricontent:"/cnt?"; nocase; uricontent:"cid="; nocase; uricontent:"&p="; nocase; uricontent:"&rn="; nocase; uricontent:"&c="; nocase; uricontent:"&tl="; nocase; uricontent:"&ls="; nocase; uricontent:"&ln="; nocase; uricontent:"&t="; nocase; uricontent:"&j="; nocase; uricontent:"&wh="; nocase; uricontent:"&px="; nocase; uricontent:"&sl="; nocase; uricontent:"&r="; nocase; uricontent:"&fr="; nocase; uricontent:"&pg="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007649; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spylog; sid:2007649; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Install"; flow: to_server,established; uricontent:"/SpySpotterInstall.cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001536; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyspotter.com; sid: 2001536; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyspotter.com Access"; flow: to_server,established; content:"Host\: "; depth:200; content:"spyspotter.com|0d 0a|"; nocase; distance:0; within:30; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spyspotter.com; sid: 2001537; rev:12;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs VirtualBouncer Seeking Instructions"; flow: to_server,established; content:"instructions"; nocase; pcre:"/instructions\/\d{2}\.xml/mi"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.virtualbouncer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2000587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarelabs_VirtualBouncer; sid: 2000587; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SpywareLabs Application Install"; flow: to_server,established; uricontent:"/DistID/BaseInstalls/V"; nocase; content:"User-Agent\:"; nocase; content:"Wise"; within:120; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001522; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarelabs_VirtualBouncer; sid: 2001522; rev:8;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer Reporting Data"; flow: established,to_server; uricontent:"/showme.aspx?keyword="; nocase; content:"ecomdata1="; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001570; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarestormer; sid: 2001570; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spyware Stormer/Error Guard Activity"; flow: established,to_server; uricontent:"/sell.cgi?errorguard/1/errorguard"; nocase; reference:url,www.spywarestormer.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001571; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Spywarestormer; sid: 2001571; rev:7;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (update)"; flow: to_server,established; uricontent:"/updatestats/update"; nocase; uricontent:".xml"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001225; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (allfiles)"; flow: to_server,established; uricontent:"/updatestats/all_files"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001523; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001523; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Code Download"; flow: to_server,established; uricontent:"/updatestats/"; nocase; uricontent:".exe"; nocase; classtype: policy-violation; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001524; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001524; rev:6;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster.MemoryWatcher Download"; flow: to_server,established; uricontent:"/memorywatcher.exe"; reference:url,www.memorywatcher.com/eula.aspx; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Statblaster; sid: 2001442; rev:9;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity"; flow: established,to_server; uricontent:"/Bundling/SskUpdater"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001731; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001731; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Download"; flow: established,to_server; uricontent:"/requestimpression.aspx?ver="; nocase; content:"host="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001992; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001992; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (ipixel)"; flow: established,to_server; uricontent:"/ipixel.htm?cid="; nocase; content:"&pck_id="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001994; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2001994; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfSidekick Activity (rinfo)"; flow: established,to_server; uricontent:"/rinfo.htm?"; nocase; uricontent:"host="; nocase; uricontent:"action="; nocase; uricontent:"client=SSK"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.surfsidekick.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002738; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_SurfSidekick; sid: 2002738; rev:3;)

#By Matt Jonkman from spywarelp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Updating"; flow:to_server,established; uricontent:"/sacc/sacc.cfg.php?"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfaccuracy.com; sid:2003390; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAccuracy.com Spyware Pulling Ads"; flow:to_server,established; uricontent:"/sacc/popup.php"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-062716-0109-99; reference:url,doc.emergingthreats.net/bin/view/Main/2003391; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfaccuracy.com; sid:2003391; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Install"; flow: to_server,established; uricontent:"/distribution/questmod-1.dll"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001510; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfassistant.com; sid: 2001510; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SurfAssistant.com Spyware Reporting"; flow: to_server,established; uricontent:"/sa/?a="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.sa.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Surfassistant.com; sid: 2001514; rev:8;)

#fake av, sig by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE System-defender.com Fake AV Install Checkin"; flow:established,to_server; uricontent:"?wmid="; nocase; uricontent:"&mid="; nocase; uricontent:"&lndid="; nocase; classtype:trojan-activity; reference:url,www.system-defender.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007856; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_System-defender.com; sid:2007856; rev:2;)

#fake av package, sigs by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package User-Agent (gh2008)"; flow:established,to_server; content:"|0d 0a|User-Agent\: gh20"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007944; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sysvenfak; sid:2007944; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE SysVenFak Fake AV Package Victim Checkin (victim.php)"; flow:established,to_server; uricontent:"/victim.php?"; pcre:"/victim\.php\?\d\d\d\d\d/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007945; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sysvenfak; sid:2007945; rev:2;)

#By Matt Jonkman from spyware lp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sytes.net Related Spyware Reporting"; flow:to_server,established; uricontent:"/Reporting/admin/upload.php"; nocase; content:"POST "; depth:5; nocase; content:"sytes.net"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/w32forbotdv.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003533; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Sytes.net; sid:2003533; rev:4;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (req)"; flow: to_server,established; uricontent:"/request/req.cgi?gu="; nocase; uricontent:"&sid="; nocase; uricontent:"&kw="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001997; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TargetNetworks.net; sid: 2001997; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TargetNetworks.net Spyware Reporting (tn)"; flow: to_server,established; uricontent:"/data/tn.dat?v="; nocase; uricontent:"&sid="; nocase; reference:url,www.targetnetworks.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002046; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TargetNetworks.net; sid: 2002046; rev:6;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (1)"; flow: to_server,established; uricontent:"/pa/glx.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001482; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001482; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (2)"; flow: to_server,established; uricontent:"/pa/proxyrnd.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001485; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001485; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE thebestsoft4u.com Spyware Install (3)"; flow: to_server,established; uricontent:"/pr.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001486; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Thebestsoft4u; sid: 2001486; rev:6;)

#horrendous multi-install service at theinstalls.com
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Initial Checkin"; flow:established,to_server; uricontent:"/plist.php?uid="; content:"|0d 0a|Host\: "; content:"theinstalls.com|0d 0a|"; within:23; classtype:trojan-activity; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007788; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Theinstalls.com; sid:2007788; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Theinstalls.com Trojan Download"; flow:established,to_server; uricontent:"/files/programs/"; content:"|0d 0a|Host\: "; content:"theinstalls.com|0d 0a|"; within:23; classtype:trojan-activity; reference:url,www.theinstalls.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Theinstalls.com; sid:2007798; rev:2;)


#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Download"; flow: to_server,established; uricontent:"/d4.fcgi?v="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001488; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001488; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (1)"; flow: to_server,established; uricontent:"/fcgi-bin/iza2.fcgi?m="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001729; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001729; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tibsystems Spyware Install (2)"; flow: to_server,established; uricontent:"/tb/loader2.ocx"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001734; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Tibsystems.com; sid: 2001734; rev:5;)

#by Russ McRee
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trojan.Downloader.Time2Pay.AQ"; flow:established,to_server; uricontent:"/progs_traff/";nocase; reference:url,research.sunbelt-software.com; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003034; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Time2Pay; sid:2003034; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Agent Download (1)"; flow: established,to_server; uricontent:"/ldr.exe"; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001890; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001890; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE ToolbarPartner Spyware Spambot Retrieving Target Emails"; flow: established,to_server; uricontent:"/mailz.php?id="; nocase; reference:url,toolbarpartner.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_ToolBarPartner; sid: 2001895; rev:6;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Reporting Data to External Host"; flow: to_server,established; content:"/downloads/record_download.asp"; nocase; pcre:"/(GET |GET (http|https)\:\/\/[-0-9a-z.]*)\/downloads\/record_download\.asp/i"; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000588; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000588; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (downloads)"; flow: to_server,established; uricontent:"/external/builds/downloads2/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000589; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000589; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE TopMoxie Retrieving Data (common)"; flow: to_server,established; uricontent:"/external/builds/common/"; nocase; reference:url,www.topmoxie.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopMoxie; sid: 2000590; rev:7;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (1)"; flow: established,to_server; uricontent:"/acti.asp?cl=1&gd=1&clpid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001646; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com Install (2)"; flow: established,to_server; uricontent:"/builds/"; nocase; uricontent:"AutoTrack_Install.exe"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001647; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001647; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toprebates.com User Confirming Membership"; flow: established,to_server; uricontent:"/cgi/account.plx?pid="; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.webrebates.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001648; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopRebates; sid: 2001648; rev:5;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Ezula"; flow: to_server,established; uricontent:"/MindSet5/install/ezinstall.exe"; nocase; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopText_ILookup; sid: 2001334; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Ezula Installer Download"; flow: from_server,established; content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; reference:url,www.ezula.com; reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001335; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TopText_ILookup; sid: 2001335; rev:7;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spywaremover Activity"; flow: to_server,established; uricontent:"/spywareremovers.php?"; content:"Host\: topantispyware.com"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topantispyware.com; sid: 2001520; rev:7;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Install"; flow: to_server,established; uricontent:"/activex/weirdontheweb_topc.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002004; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topconverting.com; sid: 2002004; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topconverting Spyware Reporting"; flow: to_server,established; uricontent:"/trigger.php?partner="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002040; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topconverting.com; sid: 2002040; rev:5;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Topgame-online.com Ruch Casino Install User-Agent (RichCasino)"; flow:established,to_server; content:"|0d 0a|User-Agent\: RichCasino"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009831; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Topgame-online.com; sid:2009831; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Add/Remove"; flow: to_server,established; uricontent:"/Support/AddRemove.aspx?id="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001313; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001313; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Agent Updating (1)"; flow: to_server,established; uricontent:"/TbLinkConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001315; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001315; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "ET MALWARE Traffic Syndicate Agent Updating (2)"; flow: to_server,established; uricontent:"/TbInstConfig.asmx"; nocase; threshold: type limit, track by_src, count 1, seconds 360; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001316; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_TrafficSyndicate; sid: 2001316; rev:8;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Trafficsector.com Spyware Install"; flow: to_server,established; uricontent:"/install.php?"; nocase; uricontent:"afid="; nocase; uricontent:"&user_id="; content:"trafficsector"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002736; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Trafficsector; sid: 2002736; rev:3;)

#by Matt Jonkman, data from the Spyware Listening Post
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Transponder Spyware Activity"; flow:established,to_server; uricontent:"/sendROIcookie.cfm?refer="; nocase; classtype:trojan-activity; reference:url,www.doxdesk.com/parasite/Transponder.html; reference:url,doc.emergingthreats.net/bin/view/Main/2002320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Transponder; sid:2002320; rev:3;)

#by Matt Jonkman, from Spyware LP Hits
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Travel Update Spyware"; flow:established,to_server; uricontent:"/abt?data="; nocase; pcre:"/\/abt\?data=\S{150}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Travel_Update; sid:2003297; rev:3;)

#by cjeremy
# ref: 2aebe5fa5c98589bd0f169f9013715b8
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/Spyware Trymedia.com EXE download"; flow:established,to_server; content:"GET "; depth:4; uricontent:".exe?nva="; uricontent:"&aff="; uricontent:"&token="; content:"User-Agent\: Macrovision_DM"; nocase; classtype:policy-violation; reference:url,www.browserdefender.com/site/trymedia.com; reference:url,www.threatexpert.com/reports.aspx?find=Adware.Trymedia; reference:url,doc.emergingthreats.net/2009091; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Trymedia; sid:2009091; rev:2;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Reporting"; flow: to_server,established; uricontent:"/iis2ucms.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_UCmore; sid: 2001995; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE UCMore Spyware Downloading Ads"; flow: to_server,established; uricontent:"/iis2ucms_getsponsorlinks.asp"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001998; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_UCmore; sid: 2001998; rev:5;)

# Added by Frank Knobbe on 2006-03-12
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST "; depth:5; nocase; uricontent:"/robots.txt"; nocase; pcre:"/Cookie\:\ +x=[0-9]*\;\ +y=[0-9]+/i"; classtype:unknown; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2002856; rev:5;)

# Added by Frank Knobbe on 2006-07-02
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE /jk/exp.wmf Exploit Code Load Attempt"; flow:to_server,established; uricontent:"/jk/exp.wmf"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2002999; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PopupSh.ocx Access Attempt"; flow:to_server,established; uricontent:"/PopupSh.ocx"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003000; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2003000; rev:4;)

#Matt Jonkman
# This appears to be a controller the above trojan uses
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Web Bot Controller Accessed"; flow:to_server,established; uricontent:"/stata/index.php?tr=ok"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Unknown; sid:2003025; rev:3;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; uricontent:"/Pro/pro.php?mac="; nocase; uricontent:"&key="; nocase; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Upspider.com-Sidelinker.com; sid:2008157; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; uricontent:"/Pro/cnt.php?mac="; nocase; uricontent:"&key="; nocase; uricontent:"&pid="; nocase; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Upspider.com-Sidelinker.com; sid:2008158; rev:3;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE V-Clean.com Fake AV Checkin"; flow:established,to_server; uricontent:"/bill_mod/bill_count.php?C_FLAG="; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 5.5\; Windows 98)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008180; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_V-clean.com; sid:2008180; rev:2;)

#by Matt Jonkman from Listening Post Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware"; flow:established,to_server; uricontent:"/DittoIA.jsh?pid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002348; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002348; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE VPP Technologies Spyware Reporting URL"; flow:established,to_server; uricontent:"/js.vppimage?key="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_VPPTechnologies; sid:2002350; rev:3;)

#by victor julien
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vaccine-program.co.kr Related Spyware Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/version/controllerVersion"; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007995; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Vaccine-program.co.kr; sid:2007995; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware siae3123.exe GET"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000306; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000306; rev:25;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8081 (msg:"ET MALWARE Virtumonde Spyware siae3123.exe GET (8081)"; flow: to_server,established; content:"siae3123.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000307; rev:23;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Information Post"; flow: to_server,established; content:"POST "; nocase; content:"e_g_StatisticsUploadDelay"; nocase; content:"g_AffiliateID"; nocase; content:"virtumonde.com"; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000308; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2000308; rev:22;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download mmdom.exe"; flow: to_server,established; uricontent:"/mmdom.exe"; nocase; reference:url,sarc.com/avcenter/venc/data/adware.virtumonde.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2001525; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Virtumonde Spyware Code Download bkinst.exe"; flow: to_server,established; uricontent:"/bkinst.exe"; nocase; content:"virtumonde.com"; reference:url,www.lurhq.com/iframeads.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Virtumonde; sid: 2001526; rev:21;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Vombanetworks.com Spyware Installer Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/scripts/get_cookie.php"; nocase; content:"|0d 0a 0d 0a|vomba="; content:"&ff="; content:"&vombashots="; content:"&vombashots_ff="; content:"&hwd="; content:"&ver="; content:"&vinfo=Windows"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2007870; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Vombanetwork.com; sid:2007870; rev:2;)

# Weatherbug - Dale Handy, PE
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug"; flow: to_server,established; uricontent:"WxAlertIsapi"; nocase; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2001235; rev:11;)
#Submitted by Joel Esler
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"weatherbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2001267; rev:14;)
#by M Shirk
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Wxbug Capture"; flow: to_server,established; content:"GET"; nocase; content:"Host\:"; nocase; within: 500; content:"wxbug.com"; nocase; within: 100; threshold: type limit, track by_src, count 1, seconds 3600; classtype: misc-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid: 2002364; rev:4;)

#from spywarelp data, by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Activity"; flow:established,to_server; uricontent:"/WeatherWindow/WeatherWindow"; nocase; uricontent:"?rnd="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003420; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003420; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Design60 Upload Activity"; flow:established,to_server; uricontent:"/GetDesign60.aspx?Magic="; nocase; uricontent:"?ZipCode="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003421; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003421; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Design60 Upload Activity"; flow:established,to_server; uricontent:"/GetDesign60.aspx?Magic="; nocase; uricontent:"?ZipCode="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003423; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003423; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Command Activity"; flow:established,to_server; uricontent:"/connection/connectionv"; nocase; uricontent:"?t="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003422; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003422; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weatherbug Vista Gadget Activity"; flow:established,to_server; uricontent:"/Command/VistaGadget_v"; nocase; uricontent:"UserId="; nocase; uricontent:"&AppVersion="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003534; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weatherbug; sid:2003534; rev:3;)

#by Matt Jonkman, from Spyware Listening Post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webbuying.net Spyware Installing"; flow:established,to_server; uricontent:"/inst.php?"; nocase; uricontent:"d="; nocase; uricontent:"&cl="; nocase; uricontent:"&l="; nocase; uricontent:"&e="; nocase; uricontent:"&v=wbi_v"; nocase; uricontent:"&uid="; nocase; uricontent:"&time="; nocase; uricontent:"&win="; nocase; uricontent:"&un=0"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webbuying.net; sid:2003442; rev:3;)

#Submitted by Matt Jonkman, Tweaks by Bob Grabowsky
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Webhancer Data Upload"; flow: from_server,established; content:"WebHancer Authority Server"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001317; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Data Post"; flow: to_server,established; content:"POST http\://prime.webhancer.com"; nocase; content:"AgentTag\:"; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001677; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Webhancer Agent Activity"; flow: to_server,established; content:"Host\:"; nocase; content:"webhancer.com"; within:30; nocase; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.webhancer.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001678; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Webhancer; sid: 2001678; rev:7;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Spyware"; flow: to_server,established; uricontent:"/sitereview.asmx/GetReview"; nocase; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001325; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2001325; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Outbound Dialer Retrieval"; flow: to_server,established; uricontent:"/1/rdgUS10.exe"; nocase; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2001517; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2001517; rev:7;)

#Matt Jonkman, from spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Websearch.com Cab Download"; flow: to_server,established; uricontent:"/Dnl/T_"; nocase; pcre:"/\/\S+\.cab/Ui"; classtype: trojan-activity; reference:mcafee,131461; reference:url,doc.emergingthreats.net/bin/view/Main/2003242; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Websearch.com; sid: 2003242; rev:7;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Checkin"; flow: to_server,established; uricontent:"/notifier/config.ini?v="; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weirdontheweb; sid: 2002036; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Weird on the Web /180 Solutions Update"; flow: to_server,established; uricontent:"/notifier/updates"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Weirdontheweb; sid: 2002041; rev:5;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (1)"; flow: to_server,established; uricontent:"/vsn/ISA/"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000908; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com App and Search Bar Install (2)"; flow: to_server,established; uricontent:"/Appinstall?app=VVSN"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000909; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=clock"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000910; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=weather"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000911; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000911; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (1)"; flow: to_server,established; uricontent:"/clock?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000912; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Clock Sync App Checkin (2)"; flow: to_server,established; uricontent:"/clockDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000913; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000913; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (1)"; flow: to_server,established; uricontent:"/weatherDB"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000914; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000914; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Weather App Checkin (2)"; flow: to_server,established; uricontent:"/weather?id="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000915; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=whenusave"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000916; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000916; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (offersdata)"; flow: to_server,established; uricontent:"/OffersDataGZ?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000917; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000917; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Desktop Bar Install"; flow: to_server,established; uricontent:"/Appinstall?app=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000918; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000918; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (Searchdb)"; flow: to_server,established; uricontent:"/SearchDB?update="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2000919; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2000919; rev:9;)

#Submitted by Chris Norton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Desktop Bar App Checkin"; flow: to_server,established; uricontent:"/heartbeat?"; nocase; uricontent:"=desktop"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001443; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2001443; rev:8;)

#Matt Jonkman from spywarelp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com Application Version Check"; flow: to_server,established; uricontent:"/versions.html"; nocase; content:"whenu.com"; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003389; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2003389; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE WhenUClick.com WhenUSave Data Retrieval (DataChunksGZ)"; flow: to_server,established; uricontent:"/DataChunksGZ?update="; nocase; uricontent:"ver="; nocase; uricontent:"svr="; nocase; reference:url,www.whenusearch.com; reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003404; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_WhenUSearch.com; sid: 2003404; rev:4;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Installation"; flow: to_server,established; uricontent:"/Recovery/Checkin.aspx?version"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001307; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001307; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Checking In"; flow: to_server,established; uricontent:"/CDADeliveries/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001309; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001309; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent Traffic"; flow: to_server,established; uricontent:"/CDAFiles/DP/SysConfig"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001310; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Agent"; flow: to_server,established; uricontent:"/CDAFiles/"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001314; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001314; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent New Install"; flow: to_server,established; uricontent:"/NewUser/Checkin.aspx"; nocase; classtype: trojan-activity; reference:url,www.spyany.com/program/article_spw_rm_WildTangent.html; reference:url,www.wildtangent.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wild_Tangent; sid: 2001322; rev:6;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Wild Tangent Install"; flow: to_server,established; uricontent:"/updatestats/AI_Euro.exe"; nocase; classtype: trojan-activity; reference:mcafee,122249; reference:url,doc.emergingthreats.net/bin/view/Main/2002008; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wildmedia; sid: 2002008; rev:8;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Install"; flow: established,to_server; uricontent:"/cab/CDTInc/ie/"; nocase; uricontent:".cab"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001700; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Windupdates.com; sid: 2001700; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Windupdates.com Spyware Loggin Data"; flow: established,to_server; uricontent:"/logging.php?p="; nocase; content:"Host\: public.windupdates.com"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001701; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Windupdates.com; sid: 2001701; rev:6;)

#By Matt Jonkman from spyware listening post data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winfixmaster.com Fake Anti-Spyware Install"; flow: to_server,established; uricontent:"/dispatcher.php?action="; nocase; content:"Host\: www.winfix"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003543; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winfixmaster.com; sid: 2003543; rev:3;)

#Matt jonkman from Spyware LP Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winferno Registry Fix Spyware Download"; flow: to_server,established; uricontent:"/freeze_rpc6bundle_us/REGISTRYFIXDLL.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wininferno.com; sid:2003353; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Freeze.com Spyware Download"; flow: to_server,established; uricontent:"/WebServices/DesktopManager/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003356; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Wininferno.com; sid:2003356; rev:3;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; uricontent:"/newuser.php?saff="; pcre:"/\/newuser\.php.saff=(\d+|x.+)/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winquickupdates.com; sid:2008012; rev:3;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winreanimator.com Fake AV Install Attempt"; flow:established,to_server; uricontent:"/inst.php?wmid="; nocase; uricontent:"&p="; nocase; uricontent:"&l="; nocase; uricontent:"&s="; nocase; classtype:trojan-activity; reference:url,www.winreanimator.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007865; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winreanimator.com; sid:2007865; rev:2;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winsoftware.com Spyware Activity"; flow: to_server,established; uricontent:"/?proto="; nocase; uricontent:"&rc="; nocase; uricontent:"&abbr="; nocase; uricontent:"platform="; nocase; uricontent:"&os_version="; nocase; uricontent:"&appid="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winsoftware.com; sid: 2003471; rev:4;)

#matt jonkman, www.winxdefender.com fake AV package
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winxdefender.com Fake AV Package Post Install Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/checkupdate.php"; nocase; content:"|0d 0a|User-Agent\: Opera"; content:"Computer ID\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008197; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Winxdefender.com; sid:2008197; rev:2;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (1)"; flow: to_server,established; uricontent:"/fa/evil.html"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001461; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs Occuring"; flow: to_server,established; uricontent:"/fa/?d=get"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001462; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (2)"; flow: to_server,established; content:"src=http\://xpire.info/i.exe"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001463; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001463; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (3)"; flow: to_server,established; uricontent:"/i.exe"; nocase; content:"xpire.info"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001464; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001464; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (4)"; flow: to_server,established; uricontent:"/dl/adv121.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001466; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001466; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (5)"; flow: to_server,established; uricontent:"/dl/adv121/x.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001467; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001467; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs CHM Exploit"; flow: to_server,established; uricontent:"/fa/ied_s7m.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001468; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001468; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (6)"; flow: to_server,established; uricontent:"/fa/x.chm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001469; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001469; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Multiple Spyware Installs (7)"; flow: to_server,established; uricontent:"/fa/xpl3.htm"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001470; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Exploit"; flow: to_server,established; uricontent:"/2DimensionOfExploitsEnc.php"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001471; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Install Reporting"; flow: to_server,established; uricontent:"/xpsystem/report.php?user_id="; nocase; uricontent:"&status=0&country_id="; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001472; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Code Download"; flow: to_server,established; uricontent:"/install.gz"; nocase; content:"Host\: xpire.info"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001491; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Report"; flow: to_server,established; content:"counter.htm"; nocase; pcre:"//user\d+/counter\.htm/im"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Xpire.info; sid: 2001541; rev:10;)

#Thanks James Ashton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yesadvertising Banking Spyware RETRIEVE"; flow: to_server,established; uricontent:"/img1big.gif"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000336; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yesadvertising_Banking_Spyware; sid: 2000336; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yesadvertising Banking Spyware INFORMATION SUBMIT"; flow: to_server,established; uricontent:"/cgi-bin/yes.pl"; nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2000337; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yesadvertising_Banking_Spyware; sid: 2000337; rev:10;)

# by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE YourSiteBar Data Submision"; flow: to_server,established; uricontent:"/ist/scripts/istsvc_ads_data.php?version="; nocase; reference:url,www.ysbweb.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2001698; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_YourSiteBar; sid: 2001698; rev:6;)

#Matt jonkman from Spyware LP Data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Yourscreen.com Spyware Download"; flow: to_server,established; uricontent:"/data/yourscreen_data.exe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2003354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yourscreen.com; sid:2003354; rev:3;)

#By Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - protector.exe"; flow: to_server,established; uricontent:"/protector.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002092; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yupsearch.com; sid: 2002092; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE yupsearch.com Spyware Install - sideb.exe"; flow: to_server,established; uricontent:"/sideb.exe"; nocase; reference:url,www.yupsearch.com; classtype: trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2002098; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Yupsearch.com; sid: 2002098; rev:6;)

#John Stewart
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware"; flow: to_server,established; uricontent:"/cl/clientdump"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2001947; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2001947; rev:5;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Adware 2"; flow: to_server,established; uricontent:"/cl/clienthost"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002735; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2002735; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenotecnico Spyware Install Report"; flow: to_server,established; uricontent:"/instreport"; content:"zenotecnico"; nocase; reference:url,www.zenotecnico.com; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid: 2002737; rev:4;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|uid="; distance:0; content:"&ref="; distance:0; content:"&clid="; distance:0; content:"&commode="; distance:0; content:"&cmd="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid:2008757; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".asp?rnd="; content:"|0d 0a 0d 0a|uid="; content:"&ref="; distance:0; content:"&clid="; distance:0; content:"&umode="; distance:0; content:"&cn="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008798; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_Zenotecnico; sid:2008798; rev:2;)

#Matt Jonkman, from spyware lp data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Supergames.aavalue.com Spyware"; flow: established,to_server; uricontent:"/toolbars/msg/msg_serverside.xml"; nocase; content:"aavalue.com"; nocase; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EZ-Tracks%20Toolbar&threatid=41189; reference:url,doc.emergingthreats.net/bin/view/Main/2003525; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_aavalue.com; sid: 2003525; rev:3;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE adservs.com Spyware"; flow: to_server,established; uricontent:"/binaries/relevance.dat"; content:"adservs"; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2002740; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_adservs.com; sid: 2002740; rev:3;)

# Following are requests from adware served by iframebiz.biz
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - adv***.php"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/adv"; nocase; pcre:"/adv\d+\.php/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002707; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002707; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - sploit.anr"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/sploit.anr"; nocase; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002708; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002708; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loaderadv***.jar"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/loaderadv"; nocase; pcre:"/loaderadv\d+\.jar/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002709; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002709; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - loadadv***.exe"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/loadadv"; nocase; pcre:"/loadadv\d+\.exe/Ui"; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,isc.sans.org/diary.php?storyid=868; reference:url,doc.emergingthreats.net/bin/view/Main/2002710; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2002710; rev:6;)

#by Deapesh Misra
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE iframebiz - /qwertyuiyw12ertyuytre/adv***.php"; flow:established,to_server; uricontent:"/qwertyuiyw12ertyuytre"; nocase; classtype:trojan-activity; reference:url,iframecash.biz; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_DLOADR.QC&VSect=T; reference:url,doc.emergingthreats.net/bin/view/Main/2008681; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_iframebiz; sid:2008681; rev:4;)

#Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE K8l.info Spyware Activity"; flow: to_server,established; uricontent:"/media/servlet/view/dynamic/url/zone?"; nocase; uricontent:"zid="; nocase; uricontent:"&pid="; nocase; uricontent:"&DHWidth="; nocase; uricontent:"&DHHeight="; nocase; uricontent:"Ref="; nocase; classtype: policy-violation; reference:url,doc.emergingthreats.net/bin/view/Main/2003451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/MALWARE/MALWARE_k8l.info; sid: 2003451; rev:3;)

#From Chris Norton.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002695; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Bankem; sid:2002695; rev:6;)

# BugBear
#Submitted by Brad Doctor, 3/8/2005, for BugBear@MM
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001764; rev:6;)
alert tcp $HOME_NET any -> any 139 (msg:"ET VIRUS BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001765; rev:6;)
alert tcp $HOME_NET any -> any 139 (msg:"ET VIRUS BugBear@MM Worm Copied to Startup Folder"; flow: established; content:"|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001766; rev:6;)

# Submitted 2006-05-01 by Mark Tombaugh
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET VIRUS Mytob.X [clam] SMTP Inbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002892; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Mytob.X [clam] SMTP Outbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002893; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002893; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET VIRUS W32.Nugache SMTP Inbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; classtype:trojan-activity; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002894; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002894; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002895; rev:4;)

#by Jonathan Gross. Experimental
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2003614; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET VIRUS WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2003615; rev:4;)

#by Dan Clemens of packetninjas.net
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008946; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2008946; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008947; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2008947; rev:2;)

#matt jonkman/wes brown
#falsing, needs adjustment
#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flowbits:isset,ET.http.binary; flow:established,from_server; content:"VirtualProtect|00|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009080; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2009080; rev:3;)

#These are by Vlad Tsyrklevich during presentation at Toorcon 06. These are experimental and will likely be high load.
#more information at http://toorcon.org/2006/conference.html?id=29

#These are disabled by default until we learn more about them.

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE CLET polymorphic payload"; classtype:shellcode-detect; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003117; rev:3;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE Shikata Ga Nai polymorphic payload"; classtype:shellcode-detect; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003118; rev:3;)

#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE ADMutate polymorphic payload"; classtype:shellcode-detect; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003119; rev:3;)

# Sobig

#Unknown submitter - Sobig E-F downloading goodies
alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET VIRUS Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Sobig_Trojan_Download_Request; sid: 2001547; rev:7;)

# Spy.Win32.Bancos Trojan

#Submitted by Matt Jonkman for Spy.Win32.Bancos Trojan
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Trojan-Spy.Win32.Bancos; sid: 2001726; rev:8;)

#from sandnet data
#Disabling by default, hits on the VB api, not unique to this virus.
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bancos User-Agent Detected"; flow:established,to_server; content:"User-Agent\: vb wininet"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2004114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Trojan-Spy.Win32.Bancos; sid:2004114; rev:3;)

#from castlecops research, http://www.castlecops.com, sig by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent\: p4r4z1t3v3"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Win32_AV-Killer; sid:2003638; rev:3;)

#by mr Magic Pants
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject\: \: ZOMBIE"; nocase; content:"X-Library\: Indy 9.00.10"; nocase; distance:0; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Win32_Mailer; sid:2003041; rev:5;)

# by: Jeremy Conway at sudosecure.net
# ref: bbd144858cb1af3177a02900865d3134
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Possible AV KILLER- HTTP GET"; flow:established,to_server; content:"GET "; depth:4; content:" HTTP/1.0|0d 0a|"; within:200; uricontent:"SoftName="; nocase; uricontent:"SoftVersion="; nocase; uricontent:"UserIP="; nocase; uricontent:"Mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009487; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller; sid:2009487; rev:2;)

# by: Jeremy Conway at sudosecure.net
# ref: 01683fba555b59dac497a390e5afea47
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AVKiller with Backdoor checkin - HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|id="; nocase; content:"&ip_int="; nocase; content:"&os="; nocase; content:"&av="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009812; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller; sid:2009812; rev:2;)

#by: Jeremy Conway at sudosecure.net
# ref: cd3c73136661fea7e33ed41666953bc9
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET "; depth:4; uricontent:"nsi_install.php?"; nocase; uricontent:"aff_id="; nocase; uricontent:"&inst_result="; uricontent:"&id="; nocase; classtype:trojan-activity; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Adrotater; sid:2009548; rev:3;)

#by pedro marinho
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent.END"; flow:to_server,established; content:"GET "; depth:4; uricontent:"idcomp="; uricontent:"&load1="; uricontent:"&hist=downloaded_user_"; uricontent:"MyValue="; pcre:"/MyValue=[a-f0-9]{32}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Agent.end; sid:2010243; rev:2;)

#by Steven Adair and Shadowserver.org
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Agent.kaq Chinese IE Password Stealer Encoded Traffic"; flow:to_server,established; content:"|20 20 20 20 20 00 03 00 06 00|"; depth:10; dsize:>100; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008169; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Agent.kaq; sid:2008169; rev:4;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alman Dropper Checkin"; flow:established,to_server; uricontent:"/info.asp?action=post&HD="; uricontent:"&OT="; uricontent:"&IV="; uricontent:"&AV="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alman; sid:2009203; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alureon Checkin (Post)"; flow:established,to_server; content:"POST "; depth:5; content:" HTTP/1.0|0d 0a|"; distance:0; content:"|0d 0a 0d 0a|x="; distance:0; content:"0\;0\;0\;0"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008751; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alureon; sid:2008751; rev:2;)

#by Matt Jonkman, re 53c26839720c9b3e9c6ed9f0d288d288
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN AntiAV Command and Control Channel (Gh0st)"; flow:established,to_server; dsize:<400; content:"Gh0st|80 01 00 00|"; depth:9; flowbits:set,ET.antiav1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009109; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AntiAV; sid:2009109; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN AntiAV Command and Control Channel Response (Gh0st)"; flowbits:isset,ET.antiav1; flow:established,from_server; dsize:<30; content:"Gh0st|16 00 00 00|"; depth:9; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009110; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AntiAV; sid:2009110; rev:2;)

#by matt jonkman, www.antispywareexpert.com
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; uricontent:"/?action="; uricontent:"&pc_id="; uricontent:"&abbr="; uricontent:"&a="; uricontent:"&l="; uricontent:"&addt"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antispywareexpert.com; sid:2008502; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Antispywaremaster.com Fake AV Checkin"; flow:established,to_server; uricontent:"?action="; uricontent:"&pc_id="; uricontent:"&abbr="; uricontent:"&err="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antispywaremaster.com; sid:2008282; rev:2;)

#by Pedro Marinho
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Antivirus2008"; flow:established,to_server; uricontent:"nick="; nocase; uricontent:"&group="; nocase; uricontent: "&os="; content:"User-Agent\:|20|Mozilla|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antivirus2008; sid:2008483; rev:4;)

#matt jonkman, re 0546aebf675cbb00f93c8040d394fa5f
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; uricontent:"?type=scanner&pin="; uricontent:"&lnd="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008511; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antivirus2008; sid:2008511; rev:2;)


#by dxp
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009031; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Armitage Exploit Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/bof.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009032; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Armitage Loader Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lds.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009036; rev:3;)

#by mareadmin
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010909; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010910; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010911; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010911; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010912; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010913; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010913; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010914; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010914; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010915; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010916; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010916; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010917; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010917; rev:2;)


#by Daniel Clemens
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E 72 73 72 63|"; content:"|2E 61 73 70 61 63 6B|"; within: 50; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprotect_Packed; sid:2008575; rev:2;)

#by Joe Stewart of Secureworks
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Asprox-style Message ID"; flow:established,to_server; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,ET.asproxmessageid; flowbits:noalert; reference:url,www.secureworks.com/research/threats/danmecasprox; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2008221; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Asprox phishing email detected"; flow:established,to_server; content:"From|3a20|"; depth:6; content:"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,ET.asproxmessageid; reference:url,www.secureworks.com/research/threats/danmecasprox; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2008222; rev:4;)

#by dxp
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Form Submission to C&C"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/forum.php"; nocase; content:"Content-Type\: multipart/form-data\; boundary=1BEF0A57BE110FD467A"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009054; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2009054; rev:2;)

#by darren spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Data Post to C&C"; flow:established,to_server; content:"POST "; depth:5; content:"name=|22|sid|22 0d 0a 0d 0a|"; nocase; content:"name=|22|upt|22 0d 0a 0d 0a|"; nocase; content:"name=|22|hcc|22 0d 0a 0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/danmecasprox/; reference:url,www.toorcon.org/tcx/18_Brown.pdf; reference:url,doc.emergingthreats.net/2010270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2010270; rev:2;)

#Matt Jonkman
#re c6f326609487aaae451366728ec5cdd9
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008675; rev:3;)
alert tcp $EXTERNAL_NET 91 -> $HOME_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply"; flowbits:isset,ET.assassin.start; flow:established,from_server; dsize:12; content:"10000002|5e 2a|"; depth:10; flowbits:set,ET.assassin.reply; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008676; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply"; flow:established,to_server; dsize:10; content:"10000000|5e 2a|"; flowbits:isset,ET.assassin.reply; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008677; rev:3;)

# by: Jeremy Conway at sudosecure.net
# ref: 8a8f0708b05e0177acc4c57a09c70790 c42c3b5c832ac87221bb5ac88ed3feb7
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Atya Dropper Possible Rootkit - HTTP GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:"b="; nocase; uricontent:"&idf="; nocase; uricontent:"&v="; nocase; uricontent:"&o="; nocase; reference:url,www.paretologic.com/resources/definitions.aspx?remove=%41%67%65%6e%74%20%41%74%79%61%20%54%72%6f%6a%61%6e; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Atya; sid:2009450; rev:2;)

#by Jaime Blasco at alienvault and matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Aurora Backdoor (C&C) client connection to CnC"; flow:established,to_server; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; flowbits:set,ET.aurora.init; classtype:trojan-activity; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010695; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Aurora; sid:2010695; rev:2;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Aurora Backdoor (C&C) connection CnC response"; flowbits:isset,ET.aurora.init; flow:established,from_server; content:"|cc cc cc cc cd cc cc cc cd cc cc cc cc cc cc cc|"; depth:16; classtype:trojan-activity; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Aurora; sid:2010696; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Autorun.qvi Related HTTP Get on Off Port"; flow:established,to_server; content:"GET /get_r.php?fid="; depth:19; content:"&mac="; distance:0; within:15; content:"&version="; distance:0; content:"&uuid="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008755; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Autorun; sid:2008755; rev:2;)

# by: Jeremy Conway at sudosecure.net
# ref: 5af1c119ba1818099b4e4915f5bb15e9
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Win32.Autorun HTTP Post"; flow:established,to_server; content:"POST "; depth:5; uricontent:"cbID="; nocase; uricontent:"cbVer="; nocase; uricontent:"cbTit="; nocase; content:!"User-Agent\:"; nocase; content:"cbBody="; nocase; reference:url,www.threatexpert.com/threats/worm-win32-autorun.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Autorun; sid:2009516; rev:2;)

#General BHOs and the like

#by Jeremy at Sudosecure
# ref: a2404de3a35a263d775ceb451173f304
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rouge Security Software Win32.BHO.egw"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?"; nocase; uricontent:"affid="; nocase; uricontent:"subid="; nocase; uricontent:"guid="; nocase; uricontent:"ver="; nocase; uricontent:"key="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.BHO.egw&threatid=313636; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_BHO; sid:2008461; rev:2;)

#by Marcus at unsober
# ref: 30b2cc13a86a15396a25e89c2860351d
alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic"; content:"|6C 3C|"; depth:2; content:"|3E 20|"; within:3; content:"bid="; nocase; within:20; content:"bver="; nocase; within:20; content:"bip="; nocase; within:20; content:"bn="; nocase; within:20; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Cow; sid:2008465; rev:2;)

#by Pedro Marinho
#re 4bde1bc2f7b6d4e11b1a570aaa52df57
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Agent.fvt Checkin"; flow:established,to_server; content:"GET "; depth:4; content:".php?"; nocase; content:"lversion="; nocase; content:"wversion=&eversion=&fid="; nocase; content:"&mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008667; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2008667; rev:3;)

#matt jonkman, re 1f8169a4694ec450a9f247469b7cbaf4
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST Packet 1"; flow:established,to_server; uricontent:"/add.php"; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)|0d 0a|"; flowbits:noalert; flowbits:set,ET.bd1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2009240; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST"; flow:established,to_server; content:"|0d 0a 0d 0a|Admin="; depth:10; content:"&UserName="; distance:0; within:25; content:"&IsProxy="; distance:0; within:50; flowbits:isset,ET.bd1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2009241; rev:2;)

#Matt Jonkman, analysis from captured binary
# Don't know a lot about this one. But the control session is apparently opened by a 00 00 00 00
# Then the bot replies with a packet that begins with the date in form such as 20060622, and
# among other things contains the host OS info.
# Since this is a windos bot, we can assume the word windows will be in there.
# Hopefully we can update these as more is learned. This is sorta crude, but should
# be reliable to not false pos at least....
alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established"; flow:established,to_server; dsize:4; content:"|00 00 00 00|"; flowbits:set,BSHupigonControlStart; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Hupigon; sid:2002974; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET TROJAN Backdoor.Hupigon INFECTION - Reporting Host Type"; flow:established,to_server; flowbits:isset,BSHupigonControlStart; content:"Windows "; flowbits:isset,BSHupigonControlStart; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002975; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Hupigon; sid:2002975; rev:3;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload via FTP"; flow:established,to_server; content:"*************CD-Key Pack**************"; content:"|0d 0a|Microsoft Windows Product ID CD Key\:"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.VB.cfi; sid:2008005; rev:3;)

#by Scott Melnick
alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1337 (msg:"ET TROJAN Win32.SkSocket C&C Connection"; flow:established,to_server; flags:PA,12; dsize:1; content:"|04|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.SkSocket; sid:2007585; rev:4;)

#by matt jonkman and victor julien
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Checkin"; flow:established,to_server; content:"Status|2a 28|Idle|2e 2e 2e 29 2a|"; depth:17; offset:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007922; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007922; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version"; flow:established,to_server; content:"Version|28 2a|"; depth:9; offset:0; content:"|29 2a|"; within:8; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007979; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007979; rev:5;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d+/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007980; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007980; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge"; flow:established,to_server; dsize:29; content:"Status|28 2a|UDP Attack Running!|2a 28|"; offset:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007981; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007981; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound"; flow:established,from_server; dsize:>100; content:"|ff ff ff ff|"; depth:4; content:" own you bitch!"; within:20; content:"|01 01 01 01 01 01 01 01 01 01 01 01 01|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007982; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007982; rev:3;)

#matt jonkman, re 0ec9e59de960ec4a7d585a9ad7fc5719
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller"; flow:established,to_server; content:"state\: 0 - zombie is ready for control"; depth:38; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2008507; rev:2;)

#by Jeremy of sudosecure
# ref: 82b9407337a991b52daffd0078d02e6a
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Variant POST via x-www-form-urlencoded"; flow:established,to_server; uricontent:".php"; content:"POST "; depth:5; content:"|0D0A|Content-Type|3a20|application/x-www-form-urlencoded|0D0A|Content-Length|3A20|"; depth:150; nocase; content:"from="; nocase; content:"|26|FromMail="; nocase; content:"|26|destino="; nocase; content:"|26|assunto="; nocase; content:"|26|mensagem="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008331; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra; sid:2008331; rev:3;)

#Matt jonkman, re 0d3ff9cfa6b1d6a8aeabaf0d73e1fc5c
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|tipo=cli&cli="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra; sid:2009296; rev:2;)

#by Matt Jonkman
#Bandook 1.2
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.2; flow:established,to_server; content:"&first& # "; pcre:"/# \d+d \d+dh \d+m # /iR"; classtype:trojan-activity; flowbits:set,BE.Bandook1.2; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003549; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Get Processes"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003550; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Kill Process Command"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:>8; content:"kill3d"; offset:0; depth:6; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003551; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Reporting Socks Proxy Active"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:7; content:"sockson"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003552; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Reporting Socks Proxy Off"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:8; content:"socksoff"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003553; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Client Ping Reply"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:10; content:"&SEXREPLY&"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003554; rev:5;)

#Bandook 1.35
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.35; flow:established,to_server; content:"|cf 8f|"; offset:0; depth:2; content:"|20 26 26 26|"; distance:50; classtype:trojan-activity; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003555; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Keepalive Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:6; content:"|cf ab a8 a7 ae cf|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003556; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Keepalive Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:9; content:"|cf ab a8 a4 ae cf 26 26 26|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003557; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Create Registry Key Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>10; content:"|cf 9b 8c 8e 8a 9b cf|"; offset:0; depth:7; content:"|95|"; distance:5; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003558; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Create Directory Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>7; content:"|cf 84 82 8d 80 9b cf 95|"; offset:0; depth:8; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003559; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Window List Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:10; content:"|cf 8e 80 84 84 8c 9e 80 87 cf|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003560; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Window List Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9e 80 87 85 80 9a 9d cf|"; offset:0; depth:9; content:"|26 26 26|"; distance:10; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003561; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Get Processes Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003562; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Get Processes Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9d 82 99 9b 86 8a cf|"; offset:0; depth:8; content:"|26 26 26|"; distance:10; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003565; rev:5;)
alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Start Socks5 Proxy Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>6; content:"|a7 a0 a7 ae 95|"; offset:0; depth:5; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003563; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:10; content:"|9a 86 8a 82 9a 86 87 26 26 26|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003564; rev:5;)


#by Joe Stewart
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandok phoning home (xor by 0xe9 to decode)"; flow:established,to_server; content:"|CF 8F 80 9B 9A 9D CF 95|"; depth:8; dsize:<80; reference:url,www.dshield.org/diary.html?date=2007-03-28; reference:url,www.secureworks.com/research/threats/bbbphish/?threat=bbbphish; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003936; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003936; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST|20|/"; depth:6; content:"|20|HTTP/1.1|0d0a|Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; within:150; content:"Content-Length|3a20|"; within:100; content:"|0d0a0d0a|"; within:12; content:"VISITED_URL"; within:100; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003937; rev:4;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.OT Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"User-Agent\: Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|praquem="; content:"&titulo="; content:"&texto="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007823; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007823; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.OT Checkin (2 packet)"; flow:established,to_server; content:"praquem="; depth:8; content:"&titulo="; content:"&texto="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008491; rev:2;)

#A different one, by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.anv Generally Suspicious User-Agent (CustomExchangeBrowser)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"CustomExchangeBrowser"; pcre:"/User-Agent\:[^\n]+CustomExchangeBrowser/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007824; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007824; rev:2;)

#Banker.OPX, by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|TIPO=CLIENTE&NOME="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007901; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007901; rev:2;)

#Banker.ili by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.ili HTTP Checkin"; flow:established,to_server; uricontent:"/ctrl/cnt_boot.php?pgv="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007940; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007940; rev:2;)

alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker.ike UDP C&C"; content:"|86 71 3b 72 50 61 7d 95 5f 61 46|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007957; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007957; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Trojan (General) HTTP Checkin"; flow:established,to_server; uricontent:".php?PC="; uricontent:"&Data="; uricontent:"&Mac="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007984; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007984; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Trojan (General) HTTP Checkin (vit)"; flow:established,to_server; uricontent:".php"; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; content:"vit="; nocase; content:"&bk="; nocase; content:"&dados="; nocase; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007999; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.maf SMTP Checkin (Not in the Control...)"; flow:established,to_server; content:"|0a|X-Mailer|3a| Microsoft CDO for Windows 2000"; content:"|0d 0a|_-=|7c| Not in the Control System 6.0 |7c|=-_|0d 0a|.|0d 0a|"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008033; rev:5;)

#matt jonkman, banker.JU
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; uricontent:"/envio.php?"; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a 0d 0a|tipo="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008267; rev:2;)

#by pmarinho
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.zrm/Infostealer.Bancos Checkin"; flow:established,to_server; content:"GET ";depth:4; uricontent:"appdata="; nocase; uricontent:"hd="; nocase; uricontent:"mac="; nocase; uricontent:"computador="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008519; rev:2;)

#by cjeremy
# ref: 8dce7edf84300fbc258c94ce4b47a366
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic Banker Trojan Downloader Config to client"; flow:established,to_client; content:"[Controlinfo]"; nocase; depth:13; content:"CntInfo="; within:9; nocase; content:"UseSepControl="; within:30; nocase; content:"Names="; within:20; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009090; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009090; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Banker.PWS POST Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a 0d 0a|IDMAQUINA="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009127; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009127; rev:2;)


#by Dan Clemens
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download"; flow:to_server,established; uricontent:"/keylogf.jpg"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009235; rev:2;)

#by: Joe Stewart at SecureWorks
#ref: cfcdf7c9066dfab0dcca1683603e4ee6
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TSPY_BANKER.IDV/Infostealer.Bancos Module Download"; flow:established,to_server; content:"GET|20|/"; depth:5; content:"| 0d0a|User-Agent|3a20|Mozilla|2f|4.0|2028|compatible|3b20|MSIE|20|6.0| 3b2020|Windows|20|NT|20|5.1|3b20|SV1|3b20|.NET|20|CLR|20|1.1.4322| 3b20|.NET|20|CLR|20|2.0.50727|290d0a|Host|3a20|"; content:"|0d0a|Accept|3a202a2f2a|"; within:80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009447; rev:3;)

# by: Jeremy Conway at sudosecure.net
# ref: 43347bed87a3427b97a8a4bb50d3f06c
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bancos/Banker Info Stealer Post"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)"; nocase; content:"op="; nocase; content:"servidor="; nocase; content:"senha="; nocase; content:"usuario="; nocase; content:"base="; nocase; content:"sgdb="; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009471; rev:2;)

# by: Jeremy Conway at sudosecure.net
# ref: db255a75745f90e2f1cb807c35d752b0
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker PWS/Infostealer HTTP GET Checkin"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Microsoft Internet Explorer|0d 0a|"; nocase; uricontent:"guid="; nocase; uricontent:"ver="; nocase; uricontent:"stat="; nocase; uricontent:"ie="; nocase; uricontent:"os="; nocase; uricontent:"ut="; nocase; uricontent:"cpu="; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,doc.emergingthreats.net/2009550; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009550; rev:2;)

# by: Jeremy Conway at sudosecure.net
# ref: 45545f7afce0b3e9d02a9a04ff374dc6
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request"; flow:established,to_server; content:"HEAD "; nocase; depth:5; uricontent:".php?action="; nocase; uricontent:"&uid="; nocase; uricontent:"&locale="; nocase; uricontent:"&ver="; nocase; uricontent:"&build="; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,www.anti-spyware-101.com/remove-trojanbanker; reference:url,doc.emergingthreats.net/2009750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009750; rev:2;)

#matt jonkman
#banker trojan with a custom cnc
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker Trojan CnC AddNew Command"; flow:established,to_server; dsize:<120; content:"[S]ADDNEW|7c|"; depth:10; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009862; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009862; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker Trojan CnC Hello Command"; flow:established,to_server; dsize:12; content:"[S]hello["; depth:9; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009863; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009863; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Banker Trojan CnC Server Ping"; flow:established,from_server; dsize:5; content:"PING|7c|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009864; rev:2;)

#by Darren Spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Patcher/Bankpatch Communication with Controller"; flow:established,to_server; uricontent:"id="; nocase; uricontent:"&check="; nocase; uricontent:"&version="; nocase; pcre:"/\?id=[A-Za-z]+_[A-Za-z]+&/U"; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bankpatch; sid:2009408; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Patcher/Bankpatch Module Download Request"; flow:established,to_server; uricontent:"/dl/AcroIEHelpe"; nocase; uricontent:".dll"; nocase; pcre:"/\/dl\/AcroIEHelpe(r)?(\d)?\.dll/U"; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bankpatch; sid:2009409; rev:2;)

#Matt Jonkman
# Regular downloader, usually grabs a fw swf exploiting files from brazilian servers. Sends an email on installl
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banload Downloader Infection - Sending initial email to owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Dispositivo instalado."; nocase; content:"Maquina pronta para uso."; nocase; content:"Data\: "; nocase; content:"Hora\: "; nocase; content:"Development by "; nocase; classtype:trojan-activity; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586; reference:url,doc.emergingthreats.net/2002977; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2002977; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; content:"User-Agent\: ExampleDL"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2004440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2004440; rev:3;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|tipo="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007863; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2007863; rev:4;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected"; flow:established,to_server; uricontent:"php?mac="; nocase; uricontent:"&hdd="; nocase; uricontent:"++++++++"; nocase; uricontent:"&ver="; nocase; uricontent:"&ie="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2007864; rev:2;)

#Disabling, hits on a few legit apps
#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WebUpdate|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008074; rev:3;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; uricontent:"/envia.php"; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; nocase; content:"praquem="; distance:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008256; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; uricontent:".php"; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a 0d 0a|quem="; content:"praquem="; distance:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008283; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008283; rev:2;)

#by Marcus at unsober.org
# This one uses gadugadu for CnC. Labeled banload but likely it's something else
alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET TROJAN Banload Gadu-Gadu CnC Message Detected"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"Uruchomiono trojana, wpisz help aby uzyskac pomoc"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008320; rev:2;)

#by Will Metcalf
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload iLLBrain Trojan Activity"; flow:to_server,established; content:"GET "; depth:4; content:"User-Agent\: Microsoft URL Control"; nocase; uricontent:"/iLL"; uricontent:".xxx"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008328; rev:4;)

#by bojan zdrnja of ISC
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload POST Checkin (dados)";flow:established,to_server; content: "POST "; depth:5; content:"PC="; nocase; content: "&USER="; nocase; content:"&HASH="; nocase; content:"&DADOS="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008477; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008477; rev:2;)

#by: Jeremy Conway at sudosecure.net
# ref: 373b5b9e7d4d92aee575ba8b4e4549d8
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BANLOAD Downloader GET Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"mac="; uricontent:"sys="; uricontent:"yp="; uricontent:"rand="; nocase; pcre:"/mac=[0-9A-Fa-f]{12}&/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojbanloe.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2009453; rev:2;)

#by pedro marinho
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:"c=voip&ord=";nocase;uricontent:"=&SCRNSZ"; uricontent:"&BRSRSZ=";uricontent:"&TIMEZONE="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2010266; rev:2;)

#by matt Jonkman, from sandnet analysis
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Basine Trojan Checkin"; flow:established,to_server; dsize:>1000; content:"|0d 0a 0d 0a|a="; content:"&b=reported"; distance:0; within:40; content:"&d=report"; distance:0; within:40; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007692; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Basine; sid:2007692; rev:3;)

#by Darren Spruell
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh Communication with Controller"; flow:established,to_server; content:"GET "; depth:4; uricontent:"?type=slg&id="; nocase; pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td; reference:url,doc.emergingthreats.net/2009351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh; sid:2009351; rev:3;)

#by Marcus at sober.org
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh Trojan Check-in"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; content:"N="; content:"&ID="; content:"&DATA="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh; sid:2009520; rev:2;)

#by jerry at cybercave
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ff.ie?rnd="; nocase; pcre:"/\/ff\.ie\?rnd=\d+/Ui"; content:"|0d 0a 0d 0a|p="; nocase; content:"&ot="; nocase; distance:0; content:"&njeb="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh; sid:2010565; rev:3;)

#by deapesh misra
alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET TROJAN Bifrose Connect to Controller"; flow:established,to_server; dsize:<20; content:"|09 00 00 9a|"; depth:4; content:"|cc|"; distance:3; within:4; content:"|74|"; distance:3; within:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2008273; rev:3;)
alert tcp $EXTERNAL_NET 81 -> $HOME_NET any (msg:"ET TROJAN Bifrose Response from Controller"; flow:established,from_server; dsize:9; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; distance:3; within:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2008274; rev:3;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET TROJAN Bifrose Connect to Controller (variant 2)"; flow:established,to_server; dsize:<220; content:"|d2 00 00 9b|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2008532; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose Connect to Controller (PING PONG)"; flow:stateless; dsize:10; content:"PING |3a|i.|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009128; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; flowbits:set,ET.bifrose1; sid:2009128; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bifrose Response from Controller (PING PONG)"; flow:stateless; flowbits:isset,ET.bifrose1; dsize:9; content:"PONG |3a|i.|0d|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009129; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2009129; rev:3;)

#by deapesh misra
alert tcp $HOME_NET 81 -> $EXTERNAL_NET any (msg:"ET TROJAN Bifrose Response from victim"; flow:established,to_server; dsize:13; content:"|09 00 00 00 9a|"; depth:5; content:"|74|"; distance:7; within:8; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009797; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2009797; rev:2;)

#analysis by Jose Nazario at arbor networks. Sig by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2007668; rev:4;)

#by Darren Spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a 0d 0a|getp="; nocase; content:"&id="; nocase; content:"&ln="; nocase; content:"&cn="; nocase; content:"&nt="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2009546; rev:2;)

#by Jaime Blasco
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a 0d 0a|"; content:"id="; nocase; distance:0; content:"&ln="; nocase; content:"&cn="; nocase; content:"&nt="; nocase; content:"&bid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010875; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2010875; rev:3;)

#by spooker
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2.x HTTP Request with Encrypted Variables"; flow:to_server,established; content:"POST "; depth:5; uricontent:"/getcfg.php"; nocase; content:"|0d 0a 0d 0a|sksgh="; nocase; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010885; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2010885; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2.x Plugin Download Request"; flow:to_server,established; content:"POST "; depth:5; uricontent:"/getcfg.php"; nocase; content:"|0d 0a 0d 0a|"; content:"getp="; distance:0; content:"id="; content:"ln="; content:"bid="; content:"nt="; content:"cn="; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2010886; rev:2;)

#fake search site, distributed backdoor.agent.aqr and others
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blink.com related Backdoor Checkin"; flow:established,to_server; uricontent:"/?vn="; nocase; uricontent:"&partner="; nocase; uricontent:"&ptag="; nocase; uricontent:"&b="; nocase; uricontent:"&se="; nocase; uricontent:"&au="; nocase; flowbits:set,ET.blink.get; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007805; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Blink.com related Upgrade Command Given";flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging\: This is an important download|0d 0a|Location\: http\://"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007806; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Boaxxe HTTP POST Checkin"; flow:established,to_server; uricontent:"/u/"; content:"POST "; depth:5; content:"|0d 0a|user-Agent\: Internet Explorer|0d 0a|"; content:"|0d 0a 0d 0a|a="; distance:0; content:"&b="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Boaxxe; sid:2009297; rev:2;)

#this really isn't Kraken, appears to really be bobax, but reported as kraken.
#These sigs are a first attempt, hopefully this will improve
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008103; rev:3;)
alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008104; rev:3;)
alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008105; rev:3;)
alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008106; rev:3;)
alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008107; rev:3;)
alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008108; rev:3;)
alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound"; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008109; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008110; rev:3;)

# Bofra Worm
#submitted by Matt Jonkman, additions by David Maciejak - Bofra Worm
alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 (msg:"ET WORM Bofra Victim Accessing Reactor Page"; flow: from_client,established; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001430; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bofra; sid: 2001430; rev:10;)

#by Jeffrey Brown, re 33f56ffda981afa725d530be3d1e1cfb
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bravix Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?wmid="; uricontent:"&l="; uricontent:"&it="; uricontent:"&s="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bravix; sid:2008541; rev:2;)

#by darren spruell
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010790; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi; sid:2010790; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredavi Checkin"; flow:established,to_server; uricontent:".php?id="; nocase; uricontent:"&ver="; nocase; uricontent:"&up="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi; sid:2010791; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredavi Proxy Registration"; flow:established,to_server; uricontent:"/socks.php?name="; nocase; uricontent:"&port="; nocase; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010792; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi; sid:2010792; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredavi Binary Download Request"; flow:established,to_server; uricontent:".php?id="; nocase; uricontent:"&magic="; nocase; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010793; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi; sid:2010793; rev:2;)

#by Darren Spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Downloader Communicating With Controller (1)"; flow:established,to_server; uricontent:"action="; nocase; uricontent:"&entity_list="; nocase; uricontent:"&uid="; nocase; uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009353; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Downloader Communicating With Controller (2)"; flow:established,to_server; uricontent:"action="; nocase; uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase; uricontent:"&uid="; nocase; uricontent:"&entity="; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009354; rev:5;)

#by Jaime Blasco
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Check In"; flow:established,to_server; content:"GET "; depth:4; uricontent:"v="; uricontent:"&s="; uricontent:"&uid="; uricontent:"&p="; uricontent:"&q="; content:"User-Agent\:|0d 0a|"; classtype:trojan-activity; reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/; reference:url,doc.emergingthreats.net/2009360; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009360; rev:5;)

#by Darren Spruell
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d+/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d+/"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009388; rev:2;)

#
# Bredolab Infection
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010071; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Infection - Windows Key"; flow:established,to_server; uricontent:"?s=Windows"; nocase; uricontent:"&p="; nocase; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010072; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010072; rev:3;)

#by evilghost
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Syrutrk/Gibon/Bredolab Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; reference:url,doc.emergingthreats.net/2010381; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010381; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?"; nocase; uricontent:"affid="; nocase; uricontent:"subid="; nocase; uricontent:"type="; nocase; uricontent:"version="; nocase; uricontent:"adware"; nocase; classtype:trojan-activity; reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; reference:url,doc.emergingthreats.net/2010382; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010382; rev:2;)

#by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Brontok User-Agent Detected (Brontok.A3 Browser)"; flow:established,to_server; content:"User-Agent\: Brontok"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Brontok; sid:2006999; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser)"; flow:established,to_server; content:"User-Agent\: Joseray"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Brontok; sid:2008765; rev:2;)


alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Buzus FTP Log Upload"; flow:established,to_server; dsize:100<>500; content:"|20 20 20 20|"; depth:4; content:"************CD-Key Pack************"; distance:0; content:"Microsoft Windows Product ID CD Key\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2008750; rev:2;)

#by Jaime Blasco
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Buzus Posting Data"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/fdsupdate"; content:"|0d 0a 0d 0a|PUTF"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2010064; rev:2;)

#Jason aka dn1nj4 at shadowserver dot org
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Buzus Trojan Proxy Attempt"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.buzus_client; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010859; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2010859; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Buzus Proxy Server Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.buzus_client; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010860; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2010860; rev:2;)

#matt jonkman, labeled logsnif, bzub2, dopip
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bzub2 Related RPC/Http Checkin"; flow:established,to_server; uricontent:"/rpc.php?a=ftp%3A%2F%2F"; nocase; uricontent:"&b="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007843; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub; sid:2007843; rev:2;)

#by Darren Spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity"; flow:established,to_server; uricontent:"ver="; nocase; uricontent:"&lg="; nocase; uricontent:"&phid="; nocase; uricontent:"&r="; pcre:"/phid=[A-F0-9]{64}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009349; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub; sid:2009349; rev:3;)

#by William Salusky of AOL, modified to use httpinspect
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashout Proxy Bot reg_DST"; flow:to_server,established; uricontent:".php?"; uricontent:"lang="; uricontent:"&pal="; uricontent:"&bay="; uricontent:"&gold="; uricontent:"&id="; uricontent:"&param="; uricontent: "&socksport="; uricontent:"&httpport="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008248; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cashout_Proxy; sid:2008248; rev:2;)

#by matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"|0d 0a|User-Agent\: inetinst|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007808; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cashpoint.com; sid:2007808; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"|0d 0a|User-Agent\: okcpmgr|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cashpoint.com; sid:2007810; rev:2;)

#by Darren Spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"|0d 0a 0d 0a|os="; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; distance:0; content:"&data="; distance:0; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cbeplay; sid:2010217; rev:3;)

#by Jeffrey Brown at synacktip
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d+/i"; flowbits:set,ET.cekno.initial; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008177; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cekno; sid:2008177; rev:4;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Ceckno Keepalive from Controller"; flow:established,from_server; dsize:1; content:"1"; flowbits:isset,ET.cekno.initial; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008178; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cekno; sid:2008178; rev:3;)

#by Jeffrey Brown
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cinmus.Checkin 1"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?version="; nocase; uricontent:"lversion="; nocase; uricontent:"&mac="; nocase; uricontent:"&fid="; nocase; uricontent:"&vpc="; nocase; uricontent:"&run="; nocase; uricontent:"&from="; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cinmus; sid:2008623; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cinmus.Checkin 2"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?fid="; nocase; uricontent:"&kid="; nocase; uricontent:"&cnt="; nocase; uricontent:"&mac="; nocase; uricontent:"&kw="; nocase; uricontent:"&from="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008624; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cinmus; sid:2008624; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; uricontent:".php?hid=NT"; nocase; uricontent:"&wp="; nocase; uricontent:"&sp="; nocase; uricontent:"&eep="; nocase; uricontent:"&edp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Citi-bank.ru; sid:2008153; rev:2;)

#by Marcus at unsober, re 68926f2883af13d6001126aae4345dab
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; content:"gd="; content:"=="; within:20; content:"&affid="; content:"="; within:5; content:"&subid="; content:"=="; within:5; content:"&prov="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Clbd.cz; sid:2008442; rev:3;)

#by darren spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clod/Sereki Communication with C&C"; flow:established,to_server; uricontent:".php?id="; nocase; uricontent:"&cnt="; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010289; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Clod; sid:2010289; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/chck.dat"; nocase; content:!"|0d 0a|User-Agent|3a|"; nocase; content:!"|0d 0a|Referer|3a|"; nocase; flowbits:set,ET.clod1; flowbits:noalert; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Clod; sid:2010290; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Clod/Sereki Checkin Response"; flow:established,from_server; dsize:<350; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010291; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Clod; sid:2010291; rev:2;)

#by jeffrey brown
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Codesoft PW Stealer Email Report Outbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer"; content:"******STEAM PASS STEALER*******"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_CodeSoft; sid:2008310; rev:2;)

#by Kevin Ross
alert tcp $HOME_NET any -> 67.15.94.80 $HTTP_PORTS (msg:"ET TROJAN Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2008802; rev:5;)

# By RPG and Jack Pepper, modified by thierry chich and darren spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2009024; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A Worm reporting"; flow:to_server,established; uricontent:"/search?q="; uricontent:"&aq="; pcre:"/\/search\?q\=\d+&aq=\d/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009114; rev:3;)

#by Tillman Werner
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET TROJAN Conficker.a Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009200; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; classtype:trojan-activity; sid:2009200; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET TROJAN Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; reference:url,www.honeynet.org/node/388; reference:url,doc.emergingthreats.net/2009201; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; classtype:trojan-activity; sid:2009201; rev:6;)

#Disabling in favor of the preproc and SO rules that are now available
#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; reference:url,doc.emergingthreats.net/2009205; sid:2009205; rev:4;)
#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; reference:url,doc.emergingthreats.net/2009206; sid:2009206; rev:4;)
#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; reference:url,doc.emergingthreats.net/2009207; sid:2009207; rev:4;)
#alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; reference:url,doc.emergingthreats.net/2009208; sid:2009208; rev:4;)

#by Daniel Clemens
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/kernel/zz.htm?"; uricontent:"Ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2008737; rev:7;)

#by David Wharton
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related"; flow:established,to_server; content:"|0d 0a|Accept-Language|3A| zh|2D|cn"; flowbits:set,ET.ms08067_header; flowbits:noalert; classtype:not-suspicious; reference:url,doc.emergingthreats.net/bin/view/Main/2008738; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2008738; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Conficker/MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008739; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2008739; rev:6;)

#by Philipp Bescht
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid)"; flow:to_server,established; content:"|0d 0a|User-Agent\: clk_jdfhid|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Contacy.info; sid:2008399; rev:3;)

#by Joe Stewart of Secureworks
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Coreflood/AFcore Trojan Infection"; flow:to_server; content:"POST|20|/c/a"; byte_test:1,<,64,0,relative; content:"HTTP/1.0|0d0a|Host|3a20|"; within:21; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008434; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Coreflood; sid:2008434; rev:3;)

#modified version for new variants, matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST "; depth:5; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"|0d 0a 0d 0a|r="; content:"&i="; distance:0; content:"&v="; distance:0; content:"&os="; distance:0; content:"&s="; distance:0; content:"&h="; distance:0; content:"&d="; distance:0; content:"&panic"; distance:0; content:"&ie=&"; distance:0; content:"input="; distance:0; content:"&c="; distance:0; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Coreflood; sid:2008443; rev:2;)

# Submitted 2008-06-26 by Darren Spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder.Q Data Posting"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/upload"; nocase; uricontent:"file="; nocase; uricontent:"&id="; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/VIRUS_Coreflood; sid:2008352; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/a?"; nocase; content:"|0d 0a 0d 0a|wg="; nocase; content:"&cn="; nocase; content:"&i="; nocase; content:"&panic="; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/VIRUS_Coreflood; sid:2008353; rev:4;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/index.php"; nocase; content:"|0d 0a 0d 0a|r="; content:"&i="; distance:0; content:"&v="; distance:0; content:"&os="; distance:0; content:"&panic="; distance:0; content:"&input="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009287; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/VIRUS_Coreflood; sid:2009287; rev:1;)

#by matt jonkman, Proxy.Corpes.j 0fe727c2779b6891697db8f768b6d34b
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Corpes.j Infection Report"; flow:established,to_server; uricontent:".php?tma="; uricontent:"&mode="; pcre:"/mode=\d+D[0-9A-F]{150}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008144; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Corpes; sid:2008144; rev:3;)

#by Jeffrey Brown, re 35546d9972aed2a5fec2c4e1136730a3
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Crypt.nc Checkin"; flow:to_server,established; uricontent:".php?l="; uricontent:"&d="; uricontent:"&ver="; uricontent:"&rvz1="; uricontent:"&rvz2="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Crypt; sid:2008567; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Crypt.CFI.Gen Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|User-Agent\: BIE|0d 0a|"; content:"|0d 0a 0d 0a|cname="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009204; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Crypt; sid:2009204; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DMSpammer HTTP Post Checkin (1)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/stat1.php"; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; Synapse)|0d 0a|"; content:"|0d 0a 0d 0a|x|9c|"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DMSpammer; sid:2008271; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DMSpammer HTTP Post Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/stat2.php"; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; Synapse)|0d 0a|"; content:"|0d 0a 0d 0a|x|9c|"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DMSpammer; sid:2008272; rev:2;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNS Changer HTTP Post Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|x="; content:!"|0d 0a|User-Agent\: "; pcre:"/x=[0-9a-zA-Z]{50}/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008263; rev:3;)


#By pedromarinho and matt jonkman.
#Downloader.Agent.bnm and dnschange.bnm, etc
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start"; flow:established,to_server; dsize:8; content:"|0b 01 00 00 00 00 00 00|"; classtype:trojan-activity; flowbits:noalert; flowbits:set,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008805; rev:2;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response"; flow:established,from_server; dsize:4; content:"|0b 01|"; depth:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; flowbits:isset,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008806; rev:2;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start"; flow:established,to_server; dsize:32; content:"|00 00 00 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008807; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008807; rev:3;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic"; flow:established,to_server; dsize:32; content:"|55 d8 09 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008808; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008808; rev:3;)

#by matt jonkman, re 94ff9b9a3b40c3f21e4fac3a7712b6a6
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNSChanger.AT or related Infection Checkin Post"; flow:established,to_server; content:"POST /cgi-bin/generator HTTP/1.0|0d 0a|Content-Length\: "; depth:50; content:"|0d 0a 0d 0a|"; within:10; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008940; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008940; rev:3;)

#matt jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daemonize.ft HTTP Checkin"; flow:established,to_server; uricontent:".php?v="; nocase; uricontent:"&rnd="; nocase; uricontent:"&u=00"; nocase; uricontent:"&s="; nocase; uricontent:"&id="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008086; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Daemonize; sid:2008086; rev:2;)

#by darren spruell
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daonol C&C Communication"; flow:established,to_server; uricontent:"/x/?0"; nocase; content:"|0d 0a|SS|3a|"; nocase; content:"|0d 0a|Xost|3a|"; nocase; pcre:"/\/x\/\?0\w{35}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol; reference:url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html; reference:url,www.iss.net/threats/gumblar.html; reference:url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html; reference:url,doc.emergingthreats.net/2010164; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Daonol; sid:2010164; rev:3;)
#Matt Jonkman
# This thing send out an email to it's owner with stats and such. This ought to catch it..
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Maquina.."; nocase; content:"Vers|e3|o do Windows"; nocase; content:"Microsoft Windows"; nocase; content:"Mac Address.."; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002976; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2002976; rev:7;)
#another variant
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Nome Computador\: "; nocase; content:"Data\: "; nocase; content:"Windows\: Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002978; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2002978; rev:4;)
#Yet another
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Subject\: INFECT - "; nocase; content:"Data\: "; nocase; content:"Windows\: Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002980; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2002980; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Maquina"; nocase; content:"IP"; nocase; content:"Hora"; nocase; content:"Data"; nocase; content:"Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002981; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2002981; rev:3;)

#from sandnet data
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Varlok_11000)"; flow:established,to_server; content:"User-Agent\: Varlok_"; no