# # $Id: emerging-virus.rules $ # Emerging Threats Virus rules. # # SID's are 2000000+ to avoid conflicts # # More information available at www.emergingthreats.net # # Please submit any custom rules or ideas to emerging@emergingthreats.net or the emerging-sigs mailing list # #************************************************************* # # Copyright (c) 2003-2010, Emerging Threats # All rights reserved. # # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the # following conditions are met: # # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following # disclaimer. # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the # following disclaimer in the documentation and/or other materials provided with the distribution. # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived # from this software without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # # #From Chris Norton. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent|3A| PE-"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002695; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Bankem; sid:2002695; rev:6;) # BugBear #Submitted by Brad Doctor, 3/8/2005, for BugBear@MM alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Bugbear@MM virus via SMTP"; flow: established; content:"uv+LRCQID7dIDFEECggDSLm9df8C/zSNKDBBAAoGA0AEUQ+FEN23f7doqAT/dCQk/xWcEQmDxCTD"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001764; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001764; rev:6;) alert tcp $HOME_NET any -> any 139 (msg:"ET VIRUS BugBear@MM virus in Network share"; flow: established; content:"|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001765; rev:6;) alert tcp $HOME_NET any -> any 139 (msg:"ET VIRUS BugBear@MM Worm Copied to Startup Folder"; flow: established; content:"|77 00 69 00 6B 00 2E 00 65 00 78 00 65 00 00 00|"; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; classtype: misc-activity; reference:url,doc.emergingthreats.net/2001766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_BugBear; sid: 2001766; rev:6;) # Submitted 2006-05-01 by Mark Tombaugh alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET VIRUS Mytob.X [clam] SMTP Inbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002892; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002892; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Mytob.X [clam] SMTP Outbound"; flow:to_server,established; content:"UEsDBAoA"; content:"ojRrPyGt"; distance:8; within:16; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=42326; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002893; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002893; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET VIRUS W32.Nugache SMTP Inbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; classtype:trojan-activity; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; reference:url,doc.emergingthreats.net/2002894; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002894; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS W32.Nugache SMTP Outbound"; flow:to_server,established; content:"RE9TIG1v"; content:"GUuDQ0KJ"; distance:1; within:9; reference:url,www.symantec.com/avcenter/venc/data/w32.nugache.a@mm.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002895; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Nugache; sid:2002895; rev:4;) #by Jonathan Gross. Experimental alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS WinUpack Modified PE Header Inbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2003614; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET VIRUS WinUpack Modified PE Header Outbound"; flow:established; content:"|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00|"; classtype:bad-unknown; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2003615; rev:4;) #by Dan Clemens of packetninjas.net alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing|40|"; content:"PE|00 00|"; within:20; reference:url,www.packetninjas.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008946; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2008946; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE|00 00|"; content:"Upack|00 00|"; within:255; reference:url,www.packetninjas.net; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008947; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2008947; rev:2;) #matt jonkman/wes brown #falsing, needs adjustment #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile"; flowbits:isset,ET.http.binary; flow:established,from_server; content:"VirtualProtect|00|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009080; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_PE_Headers; sid:2009080; rev:3;) #These are by Vlad Tsyrklevich during presentation at Toorcon 06. These are experimental and will likely be high load. #more information at http://toorcon.org/2006/conference.html?id=29 #These are disabled by default until we learn more about them. #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE CLET polymorphic payload"; classtype:shellcode-detect; dsize: >40; content: "|74 07 eb|"; content: "|e8|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003117; rev:3;) #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE Shikata Ga Nai polymorphic payload"; classtype:shellcode-detect; dsize: >26; content: "|d9 74 24 f4|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003118; rev:3;) #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE ADMutate polymorphic payload"; classtype:shellcode-detect; dsize: >45; content: "|e8|"; content: "|ff ff ff|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e|\x58\x96|\x58\x89\xc6|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....|\x68....\x5b).{0,20}(\x31\xc9|\x31\xc0\x91))|((\x31\xc9|\x31\xc0\x91).{0,20}(\xbb....|\x68....\x5b))).{0,20}(\xb1.|\x6a.\x58\x89\xc1|\x6a.\x66\x59).{0,20}(\x31\x1e|\x93\x31\x06\x93|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}(\x46|\x83\xc6\x01|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Polymorphic_Experimental; sid:2003119; rev:3;) # Sobig #Unknown submitter - Sobig E-F downloading goodies alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET VIRUS Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"|5c bf 01 29 ca 62 eb f1|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Sobig_Trojan_Download_Request; sid: 2001547; rev:7;) # Spy.Win32.Bancos Trojan #Submitted by Matt Jonkman for Spy.Win32.Bancos Trojan alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0|"; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Trojan-Spy.Win32.Bancos; sid: 2001726; rev:8;) #from sandnet data #Disabling by default, hits on the VB api, not unique to this virus. #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bancos User-Agent Detected"; flow:established,to_server; content:"User-Agent\: vb wininet"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2004114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Trojan-Spy.Win32.Bancos; sid:2004114; rev:3;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent\: p4r4z1t3v3"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003638; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Win32_AV-Killer; sid:2003638; rev:3;) #by mr Magic Pants alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject\: \: ZOMBIE"; nocase; content:"X-Library\: Indy 9.00.10"; nocase; distance:0; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/VIRUS_Win32_Mailer; sid:2003041; rev:5;) # by: Jeremy Conway at sudosecure.net # ref: bbd144858cb1af3177a02900865d3134 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Possible AV KILLER- HTTP GET"; flow:established,to_server; content:"GET "; depth:4; content:" HTTP/1.0|0d 0a|"; within:200; uricontent:"SoftName="; nocase; uricontent:"SoftVersion="; nocase; uricontent:"UserIP="; nocase; uricontent:"Mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009487; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller; sid:2009487; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 01683fba555b59dac497a390e5afea47 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AVKiller with Backdoor checkin - HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|id="; nocase; content:"&ip_int="; nocase; content:"&os="; nocase; content:"&av="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009812; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AVKiller; sid:2009812; rev:2;) #by: Jeremy Conway at sudosecure.net # ref: cd3c73136661fea7e33ed41666953bc9 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Adware/Spyware Adrotator for Rogue AV"; flow:established,to_server; content:"GET "; depth:4; uricontent:"nsi_install.php?"; nocase; uricontent:"aff_id="; nocase; uricontent:"&inst_result="; uricontent:"&id="; nocase; classtype:trojan-activity; reference:url,www.spywaredetector.net/spyware_encyclopedia/Trojan.Vapsup.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Fake AntiSpyware.POWER-ANTIVIRUS-2009.htm; reference:url,www.threatexpert.com/threats/adware-agent-gen.html; reference:url,novirusthanks.org/blog/2008/11/rogue-antispyware-2009-served-through-beedlyus-ads/; reference:url,doc.emergingthreats.net/2009548; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Adrotater; sid:2009548; rev:3;) #by pedro marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent.END"; flow:to_server,established; content:"GET "; depth:4; uricontent:"idcomp="; uricontent:"&load1="; uricontent:"&hist=downloaded_user_"; uricontent:"MyValue="; pcre:"/MyValue=[a-f0-9]{32}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Agent.end; sid:2010243; rev:2;) #by Steven Adair and Shadowserver.org alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Agent.kaq Chinese IE Password Stealer Encoded Traffic"; flow:to_server,established; content:"|20 20 20 20 20 00 03 00 06 00|"; depth:10; dsize:>100; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008169; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Agent.kaq; sid:2008169; rev:4;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alman Dropper Checkin"; flow:established,to_server; uricontent:"/info.asp?action=post&HD="; uricontent:"&OT="; uricontent:"&IV="; uricontent:"&AV="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009203; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alman; sid:2009203; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alureon Checkin (Post)"; flow:established,to_server; content:"POST "; depth:5; content:" HTTP/1.0|0d 0a|"; distance:0; content:"|0d 0a 0d 0a|x="; distance:0; content:"0\;0\;0\;0"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008751; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Alureon; sid:2008751; rev:2;) #by Matt Jonkman, re 53c26839720c9b3e9c6ed9f0d288d288 alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN AntiAV Command and Control Channel (Gh0st)"; flow:established,to_server; dsize:<400; content:"Gh0st|80 01 00 00|"; depth:9; flowbits:set,ET.antiav1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009109; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AntiAV; sid:2009109; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN AntiAV Command and Control Channel Response (Gh0st)"; flowbits:isset,ET.antiav1; flow:established,from_server; dsize:<30; content:"Gh0st|16 00 00 00|"; depth:9; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009110; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_AntiAV; sid:2009110; rev:2;) #by matt jonkman, www.antispywareexpert.com alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Antispywareexpert.com Fake AS Install Checkin"; flow:established,to_server; uricontent:"/?action="; uricontent:"&pc_id="; uricontent:"&abbr="; uricontent:"&a="; uricontent:"&l="; uricontent:"&addt"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008502; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antispywareexpert.com; sid:2008502; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Antispywaremaster.com Fake AV Checkin"; flow:established,to_server; uricontent:"?action="; uricontent:"&pc_id="; uricontent:"&abbr="; uricontent:"&err="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antispywaremaster.com; sid:2008282; rev:2;) #by Pedro Marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Antivirus2008"; flow:established,to_server; uricontent:"nick="; nocase; uricontent:"&group="; nocase; uricontent: "&os="; content:"User-Agent\:|20|Mozilla|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008483; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antivirus2008; sid:2008483; rev:4;) #matt jonkman, re 0546aebf675cbb00f93c8040d394fa5f alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Antivirus2008 Fake AV Install Report"; flow:established,to_server; uricontent:"?type=scanner&pin="; uricontent:"&lnd="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008511; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Antivirus2008; sid:2008511; rev:2;) #by dxp alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Armitage Loader Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/exe.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009031; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Armitage Exploit Request"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/bof.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009032; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Armitage Loader Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/lds.php"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009036; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Armitage; sid:2009036; rev:3;) #by mareadmin alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer Command Execution"; flow:established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010909; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010909; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer DIR Listing"; flow:established; content:"|C2 E5 E5 E5 9E D5 D4 D2 D1 A1 D7 A3 A6 C8 D2 A6 A7 D3 C8 D1 84 D7 D7 C8 DD D2 A6 D2 C8 D2 A7 A7 D2 D7 A4 D6 D7 A3 D4 DC A3 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010910; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer WRITE FILE command"; flow: established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010911; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010911; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer READ FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A3 D3 A6 D1 D6 A0 D4 A4 C8 D4 D0 D0 D4 C8 D1 D5 D5 D5 C8 A4 D1 DD D6 C8 A6 D6 D3 D4 DC D3 DC A4 A0 A6 D1 D4 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010912; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer NOP Command"; flow:established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010913; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010913; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer FIND FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 A4 D2 A4 D7 A0 A7 D2 C8 D4 A0 D1 DC C8 D1 81 D0 83 C8 A7 D1 A1 DD C8 A1 D3 D3 D1 D0 A7 D2 D1 D1 D5 A0 D6 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010914; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010914; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer YES Command"; flow:established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010915; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010915; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer ADD RUN ONCE Command"; flow:established; content:"|C2 E5 E5 E5 9E D6 DD D1 A0 A7 A0 D7 A6 C8 A3 DC A0 A4 C8 D1 83 D3 87 C8 DC D1 A0 A3 C8 A6 DC A1 D7 A1 A4 D0 DD A3 A1 D4 D6 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010916; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010916; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"ET TROJAN Arucer DEL FILE Command"; flow:established; content:"|C2 E5 E5 E5 9E D1 A3 D1 A3 D5 A1 DD DD C8 A0 D2 D4 D0 C8 D1 87 D4 83 C8 A7 D6 D4 D4 C8 D3 D4 A0 D0 D6 D5 A6 D7 A6 DD A3 A6 98 E5|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010917; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Arucer; sid:2010917; rev:2;) #by Daniel Clemens alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ASProtect/ASPack Packed Binary - Likely Hostile"; flow:from_server,established; content:"|2E 72 73 72 63|"; content:"|2E 61 73 70 61 63 6B|"; within: 50; reference:url,www.aspack.com/downloads.aspx; reference:url,bits.packetninjas.org/eblog/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008575; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprotect_Packed; sid:2008575; rev:2;) #by Joe Stewart of Secureworks alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Asprox-style Message ID"; flow:established,to_server; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,ET.asproxmessageid; flowbits:noalert; reference:url,www.secureworks.com/research/threats/danmecasprox; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2008221; rev:4;) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET TROJAN Asprox phishing email detected"; flow:established,to_server; content:"From|3a20|"; depth:6; content:"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,ET.asproxmessageid; reference:url,www.secureworks.com/research/threats/danmecasprox; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008222; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2008222; rev:4;) #by dxp alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Form Submission to C&C"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/forum.php"; nocase; content:"Content-Type\: multipart/form-data\; boundary=1BEF0A57BE110FD467A"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009054; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2009054; rev:2;) #by darren spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Asprox Data Post to C&C"; flow:established,to_server; content:"POST "; depth:5; content:"name=|22|sid|22 0d 0a 0d 0a|"; nocase; content:"name=|22|upt|22 0d 0a 0d 0a|"; nocase; content:"name=|22|hcc|22 0d 0a 0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/danmecasprox/; reference:url,www.toorcon.org/tcx/18_Brown.pdf; reference:url,doc.emergingthreats.net/2010270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Asprox; sid:2010270; rev:2;) #Matt Jonkman #re c6f326609487aaae451366728ec5cdd9 alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Start"; flow:established,to_server; content:"11000"; depth:5; content:"^"; distance:4; within:5; flowbits:isnotset,ET.assassin.start; flowbits:set,ET.assassin.start; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008675; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008675; rev:3;) alert tcp $EXTERNAL_NET 91 -> $HOME_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Session Server Reply"; flowbits:isset,ET.assassin.start; flow:established,from_server; dsize:12; content:"10000002|5e 2a|"; depth:10; flowbits:set,ET.assassin.reply; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008676; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008676; rev:3;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 91 (msg:"ET TROJAN Backdoor.Win32.Assasin.20.C Control Channel Client Reply"; flow:established,to_server; dsize:10; content:"10000000|5e 2a|"; flowbits:isset,ET.assassin.reply; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008677; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Assassin; sid:2008677; rev:3;) # by: Jeremy Conway at sudosecure.net # ref: 8a8f0708b05e0177acc4c57a09c70790 c42c3b5c832ac87221bb5ac88ed3feb7 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Atya Dropper Possible Rootkit - HTTP GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:"b="; nocase; uricontent:"&idf="; nocase; uricontent:"&v="; nocase; uricontent:"&o="; nocase; reference:url,www.paretologic.com/resources/definitions.aspx?remove=%41%67%65%6e%74%20%41%74%79%61%20%54%72%6f%6a%61%6e; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009450; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Atya; sid:2009450; rev:2;) #by Jaime Blasco at alienvault and matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Aurora Backdoor (C&C) client connection to CnC"; flow:established,to_server; content:"|ff ff ff ff ff ff 00 00 fe ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; flowbits:set,ET.aurora.init; classtype:trojan-activity; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010695; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Aurora; sid:2010695; rev:2;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Aurora Backdoor (C&C) connection CnC response"; flowbits:isset,ET.aurora.init; flow:established,from_server; content:"|cc cc cc cc cd cc cc cc cd cc cc cc cc cc cc cc|"; depth:16; classtype:trojan-activity; reference:url,www.trustedsource.org/blog/373/An-Insight-into-the-Aurora-Communication-Protocol; reference:url,doc.emergingthreats.net/2010696; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Aurora; sid:2010696; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Autorun.qvi Related HTTP Get on Off Port"; flow:established,to_server; content:"GET /get_r.php?fid="; depth:19; content:"&mac="; distance:0; within:15; content:"&version="; distance:0; content:"&uuid="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008755; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Autorun; sid:2008755; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 5af1c119ba1818099b4e4915f5bb15e9 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Win32.Autorun HTTP Post"; flow:established,to_server; content:"POST "; depth:5; uricontent:"cbID="; nocase; uricontent:"cbVer="; nocase; uricontent:"cbTit="; nocase; content:!"User-Agent\:"; nocase; content:"cbBody="; nocase; reference:url,www.threatexpert.com/threats/worm-win32-autorun.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009516; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Autorun; sid:2009516; rev:2;) #General BHOs and the like #by Jeremy at Sudosecure # ref: a2404de3a35a263d775ceb451173f304 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rouge Security Software Win32.BHO.egw"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?"; nocase; uricontent:"affid="; nocase; uricontent:"subid="; nocase; uricontent:"guid="; nocase; uricontent:"ver="; nocase; uricontent:"key="; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Trojan.Win32.BHO.egw&threatid=313636; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008461; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_BHO; sid:2008461; rev:2;) #by Marcus at unsober # ref: 30b2cc13a86a15396a25e89c2860351d alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor Possible Backdoor.Cow Varient (Backdoor.Win32.Agent.lam) C&C traffic"; content:"|6C 3C|"; depth:2; content:"|3E 20|"; within:3; content:"bid="; nocase; within:20; content:"bver="; nocase; within:20; content:"bip="; nocase; within:20; content:"bn="; nocase; within:20; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008465; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Cow; sid:2008465; rev:2;) #by Pedro Marinho #re 4bde1bc2f7b6d4e11b1a570aaa52df57 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Agent.fvt Checkin"; flow:established,to_server; content:"GET "; depth:4; content:".php?"; nocase; content:"lversion="; nocase; content:"wversion=&eversion=&fid="; nocase; content:"&mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008667; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2008667; rev:3;) #matt jonkman, re 1f8169a4694ec450a9f247469b7cbaf4 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST Packet 1"; flow:established,to_server; uricontent:"/add.php"; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; MSIE 6.0\; Windows NT 5.1\; SV1)|0d 0a|"; flowbits:noalert; flowbits:set,ET.bd1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009240; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2009240; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Win32 Backdoor Checkin POST"; flow:established,to_server; content:"|0d 0a 0d 0a|Admin="; depth:10; content:"&UserName="; distance:0; within:25; content:"&IsProxy="; distance:0; within:50; flowbits:isset,ET.bd1; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009241; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.General; sid:2009241; rev:2;) #Matt Jonkman, analysis from captured binary # Don't know a lot about this one. But the control session is apparently opened by a 00 00 00 00 # Then the bot replies with a packet that begins with the date in form such as 20060622, and # among other things contains the host OS info. # Since this is a windos bot, we can assume the word windows will be in there. # Hopefully we can update these as more is learned. This is sorta crude, but should # be reliable to not false pos at least.... alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET TROJAN Backdoor.Hupigon Possible Control Connection Being Established"; flow:established,to_server; dsize:4; content:"|00 00 00 00|"; flowbits:set,BSHupigonControlStart; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002974; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Hupigon; sid:2002974; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 8000 (msg:"ET TROJAN Backdoor.Hupigon INFECTION - Reporting Host Type"; flow:established,to_server; flowbits:isset,BSHupigonControlStart; content:"Windows "; flowbits:isset,BSHupigonControlStart; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/1051/bds_hupigon.bo.html; reference:url,doc.emergingthreats.net/2002975; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Hupigon; sid:2002975; rev:3;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.cfi (related) System Info Upload via FTP"; flow:established,to_server; content:"*************CD-Key Pack**************"; content:"|0d 0a|Microsoft Windows Product ID CD Key\:"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008005; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.VB.cfi; sid:2008005; rev:3;) #by Scott Melnick alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1337 (msg:"ET TROJAN Win32.SkSocket C&C Connection"; flow:established,to_server; flags:PA,12; dsize:1; content:"|04|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007585; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.SkSocket; sid:2007585; rev:4;) #by matt jonkman and victor julien alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Checkin"; flow:established,to_server; content:"Status|2a 28|Idle|2e 2e 2e 29 2a|"; depth:17; offset:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007922; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007922; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Reporting Version"; flow:established,to_server; content:"Version|28 2a|"; depth:9; offset:0; content:"|29 2a|"; within:8; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007979; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007979; rev:5;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d+/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007980; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007980; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Acknowledge"; flow:established,to_server; dsize:29; content:"Status|28 2a|UDP Attack Running!|2a 28|"; offset:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007981; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007981; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C DDoS Outbound"; flow:established,from_server; dsize:>100; content:"|ff ff ff ff|"; depth:4; content:" own you bitch!"; within:20; content:"|01 01 01 01 01 01 01 01 01 01 01 01 01|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007982; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2007982; rev:3;) #matt jonkman, re 0ec9e59de960ec4a7d585a9ad7fc5719 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.VB.fdi Bot Reporting to Controller"; flow:established,to_server; content:"state\: 0 - zombie is ready for control"; depth:38; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008507; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Backdoor.Win32.VB; sid:2008507; rev:2;) #by Jeremy of sudosecure # ref: 82b9407337a991b52daffd0078d02e6a alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Variant POST via x-www-form-urlencoded"; flow:established,to_server; uricontent:".php"; content:"POST "; depth:5; content:"|0D0A|Content-Type|3a20|application/x-www-form-urlencoded|0D0A|Content-Length|3A20|"; depth:150; nocase; content:"from="; nocase; content:"|26|FromMail="; nocase; content:"|26|destino="; nocase; content:"|26|assunto="; nocase; content:"|26|mensagem="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008331; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra; sid:2008331; rev:3;) #Matt jonkman, re 0d3ff9cfa6b1d6a8aeabaf0d73e1fc5c alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Banbra Related HTTP Post-infection Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|tipo=cli&cli="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009296; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banbra; sid:2009296; rev:2;) #by Matt Jonkman #Bandook 1.2 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.2; flow:established,to_server; content:"&first& # "; pcre:"/# \d+d \d+dh \d+m # /iR"; classtype:trojan-activity; flowbits:set,BE.Bandook1.2; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003549; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Get Processes"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003550; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.2 Kill Process Command"; flowbits:isset,BE.Bandook1.2; flow:established,to_server; dsize:>8; content:"kill3d"; offset:0; depth:6; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003551; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Reporting Socks Proxy Active"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:7; content:"sockson"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003552; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Reporting Socks Proxy Off"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:8; content:"socksoff"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003553; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.2 Client Ping Reply"; flowbits:isset,BE.Bandook1.2; flow:established,from_server; dsize:10; content:"&SEXREPLY&"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003554; rev:5;) #Bandook 1.35 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Initial Connection and Report"; flowbits:isnotset,BE.Bandook1.35; flow:established,to_server; content:"|cf 8f|"; offset:0; depth:2; content:"|20 26 26 26|"; distance:50; classtype:trojan-activity; flowbits:set,BE.Bandook1.35; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003555; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Keepalive Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:6; content:"|cf ab a8 a7 ae cf|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003556; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Keepalive Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:9; content:"|cf ab a8 a4 ae cf 26 26 26|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003557; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Create Registry Key Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>10; content:"|cf 9b 8c 8e 8a 9b cf|"; offset:0; depth:7; content:"|95|"; distance:5; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003558; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Create Directory Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>7; content:"|cf 84 82 8d 80 9b cf 95|"; offset:0; depth:8; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003559; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Window List Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:10; content:"|cf 8e 80 84 84 8c 9e 80 87 cf|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003560; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Window List Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9e 80 87 85 80 9a 9d cf|"; offset:0; depth:9; content:"|26 26 26|"; distance:10; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003561; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Get Processes Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:8; content:"|99 9b 86 8a 85 80 9a 9d|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003562; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Get Processes Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:>10; content:"|cf 9d 82 99 9b 86 8a cf|"; offset:0; depth:8; content:"|26 26 26|"; distance:10; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003565; rev:5;) alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Bandook v1.35 Start Socks5 Proxy Command Send"; flowbits:isset,BE.Bandook1.35; flow:established,from_server; dsize:>6; content:"|a7 a0 a7 ae 95|"; offset:0; depth:5; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003563; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandook v1.35 Socks5 Proxy Start Command Reply"; flowbits:isset,BE.Bandook1.35; flow:established,to_server; dsize:10; content:"|9a 86 8a 82 9a 86 87 26 26 26|"; offset:0; classtype:trojan-activity; reference:url,www.nuclearwintercrew.com; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanBandook; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003564; rev:5;) #by Joe Stewart alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Bandok phoning home (xor by 0xe9 to decode)"; flow:established,to_server; content:"|CF 8F 80 9B 9A 9D CF 95|"; depth:8; dsize:<80; reference:url,www.dshield.org/diary.html?date=2007-03-28; reference:url,www.secureworks.com/research/threats/bbbphish/?threat=bbbphish; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003936; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003936; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bandook iwebho/BBB-phish trojan leaking user data"; flow:established,to_server; content:"POST|20|/"; depth:6; content:"|20|HTTP/1.1|0d0a|Content-Type|3a20|application/x-www-form-urlencoded|0d0a|Host|3a20|"; within:150; content:"Content-Length|3a20|"; within:100; content:"|0d0a0d0a|"; within:12; content:"VISITED_URL"; within:100; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/bbbphish; reference:url,doc.emergingthreats.net/2003937; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bandook; sid:2003937; rev:4;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.OT Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"User-Agent\: Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|praquem="; content:"&titulo="; content:"&texto="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007823; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007823; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.OT Checkin (2 packet)"; flow:established,to_server; content:"praquem="; depth:8; content:"&titulo="; content:"&texto="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008491; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008491; rev:2;) #A different one, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.anv Generally Suspicious User-Agent (CustomExchangeBrowser)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; content:"CustomExchangeBrowser"; pcre:"/User-Agent\:[^\n]+CustomExchangeBrowser/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007824; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007824; rev:2;) #Banker.OPX, by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Banker.OPX HTTP Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|TIPO=CLIENTE&NOME="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007901; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007901; rev:2;) #Banker.ili by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.ili HTTP Checkin"; flow:established,to_server; uricontent:"/ctrl/cnt_boot.php?pgv="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007940; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007940; rev:2;) alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker.ike UDP C&C"; content:"|86 71 3b 72 50 61 7d 95 5f 61 46|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007957; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007957; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Trojan (General) HTTP Checkin"; flow:established,to_server; uricontent:".php?PC="; uricontent:"&Data="; uricontent:"&Mac="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007984; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007984; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker Trojan (General) HTTP Checkin (vit)"; flow:established,to_server; uricontent:".php"; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; content:"vit="; nocase; content:"&bk="; nocase; content:"&dados="; nocase; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2007999; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.maf SMTP Checkin (Not in the Control...)"; flow:established,to_server; content:"|0a|X-Mailer|3a| Microsoft CDO for Windows 2000"; content:"|0d 0a|_-=|7c| Not in the Control System 6.0 |7c|=-_|0d 0a|.|0d 0a|"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008033; rev:5;) #matt jonkman, banker.JU alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.JU Related HTTP Post-infection Checkin"; flow:established,to_server; uricontent:"/envio.php?"; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a 0d 0a|tipo="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008267; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008267; rev:2;) #by pmarinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.zrm/Infostealer.Bancos Checkin"; flow:established,to_server; content:"GET ";depth:4; uricontent:"appdata="; nocase; uricontent:"hd="; nocase; uricontent:"mac="; nocase; uricontent:"computador="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2008519; rev:2;) #by cjeremy # ref: 8dce7edf84300fbc258c94ce4b47a366 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic Banker Trojan Downloader Config to client"; flow:established,to_client; content:"[Controlinfo]"; nocase; depth:13; content:"CntInfo="; within:9; nocase; content:"UseSepControl="; within:30; nocase; content:"Names="; within:20; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009090; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009090; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Banker.PWS POST Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a 0d 0a|IDMAQUINA="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009127; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009127; rev:2;) #by Dan Clemens alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWSteal.Bancos Generic Banker Trojan SCR Download"; flow:to_server,established; uricontent:"/keylogf.jpg"; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-050210-0214-99&tabid=2; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2009235; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009235; rev:2;) #by: Joe Stewart at SecureWorks #ref: cfcdf7c9066dfab0dcca1683603e4ee6 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TSPY_BANKER.IDV/Infostealer.Bancos Module Download"; flow:established,to_server; content:"GET|20|/"; depth:5; content:"| 0d0a|User-Agent|3a20|Mozilla|2f|4.0|2028|compatible|3b20|MSIE|20|6.0| 3b2020|Windows|20|NT|20|5.1|3b20|SV1|3b20|.NET|20|CLR|20|1.1.4322| 3b20|.NET|20|CLR|20|2.0.50727|290d0a|Host|3a20|"; content:"|0d0a|Accept|3a202a2f2a|"; within:80; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009447; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009447; rev:3;) # by: Jeremy Conway at sudosecure.net # ref: 43347bed87a3427b97a8a4bb50d3f06c alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bancos/Banker Info Stealer Post"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)"; nocase; content:"op="; nocase; content:"servidor="; nocase; content:"senha="; nocase; content:"usuario="; nocase; content:"base="; nocase; content:"sgdb="; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/Trojan.Bancos/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.Bancos; reference:url,doc.emergingthreats.net/2009471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009471; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: db255a75745f90e2f1cb807c35d752b0 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker PWS/Infostealer HTTP GET Checkin"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Microsoft Internet Explorer|0d 0a|"; nocase; uricontent:"guid="; nocase; uricontent:"ver="; nocase; uricontent:"stat="; nocase; uricontent:"ie="; nocase; uricontent:"os="; nocase; uricontent:"ut="; nocase; uricontent:"cpu="; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,doc.emergingthreats.net/2009550; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009550; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 45545f7afce0b3e9d02a9a04ff374dc6 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker/Bancos/Infostealer Possible Rootkit - HTTP HEAD Request"; flow:established,to_server; content:"HEAD "; nocase; depth:5; uricontent:".php?action="; nocase; uricontent:"&uid="; nocase; uricontent:"&locale="; nocase; uricontent:"&ver="; nocase; uricontent:"&build="; nocase; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/Trojan.Banker/; reference:url,www.anti-spyware-101.com/remove-trojanbanker; reference:url,doc.emergingthreats.net/2009750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009750; rev:2;) #matt jonkman #banker trojan with a custom cnc alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker Trojan CnC AddNew Command"; flow:established,to_server; dsize:<120; content:"[S]ADDNEW|7c|"; depth:10; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009862; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009862; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Banker Trojan CnC Hello Command"; flow:established,to_server; dsize:12; content:"[S]hello["; depth:9; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009863; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009863; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN Banker Trojan CnC Server Ping"; flow:established,from_server; dsize:5; content:"PING|7c|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banker.General; sid:2009864; rev:2;) #by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Patcher/Bankpatch Communication with Controller"; flow:established,to_server; uricontent:"id="; nocase; uricontent:"&check="; nocase; uricontent:"&version="; nocase; pcre:"/\?id=[A-Za-z]+_[A-Za-z]+&/U"; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bankpatch; sid:2009408; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Patcher/Bankpatch Module Download Request"; flow:established,to_server; uricontent:"/dl/AcroIEHelpe"; nocase; uricontent:".dll"; nocase; pcre:"/\/dl\/AcroIEHelpe(r)?(\d)?\.dll/U"; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-081817-1808-99&tabid=2; reference:url,doc.emergingthreats.net/2009409; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bankpatch; sid:2009409; rev:2;) #Matt Jonkman # Regular downloader, usually grabs a fw swf exploiting files from brazilian servers. Sends an email on installl alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banload Downloader Infection - Sending initial email to owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Dispositivo instalado."; nocase; content:"Maquina pronta para uso."; nocase; content:"Data\: "; nocase; content:"Hora\: "; nocase; content:"Development by "; nocase; classtype:trojan-activity; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=95586; reference:url,doc.emergingthreats.net/2002977; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2002977; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (ExampleDL)"; flow:established,to_server; content:"User-Agent\: ExampleDL"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2004440; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2004440; rev:3;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible|3b| Indy Library)|0d 0a 0d 0a|tipo="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007863; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2007863; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected"; flow:established,to_server; uricontent:"php?mac="; nocase; uricontent:"&hdd="; nocase; uricontent:"++++++++"; nocase; uricontent:"&ver="; nocase; uricontent:"&ie="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007864; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2007864; rev:2;) #Disabling, hits on a few legit apps #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload User-Agent Detected (WebUpdate)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WebUpdate|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008074; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008074; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected (envia.php)"; flow:established,to_server; uricontent:"/envia.php"; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; nocase; content:"praquem="; distance:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008256; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008256; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload HTTP Checkin Detected (quem=)"; flow:established,to_server; uricontent:".php"; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a 0d 0a|quem="; content:"praquem="; distance:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008283; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008283; rev:2;) #by Marcus at unsober.org # This one uses gadugadu for CnC. Labeled banload but likely it's something else alert tcp $HOME_NET any -> $EXTERNAL_NET 8074 (msg:"ET TROJAN Banload Gadu-Gadu CnC Message Detected"; flowbits:isset,ET.gadu.loggedin; flow:established,to_server; content:"Uruchomiono trojana, wpisz help aby uzyskac pomoc"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008320; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008320; rev:2;) #by Will Metcalf alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload iLLBrain Trojan Activity"; flow:to_server,established; content:"GET "; depth:4; content:"User-Agent\: Microsoft URL Control"; nocase; uricontent:"/iLL"; uricontent:".xxx"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008328; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008328; rev:4;) #by bojan zdrnja of ISC alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload POST Checkin (dados)";flow:established,to_server; content: "POST "; depth:5; content:"PC="; nocase; content: "&USER="; nocase; content:"&HASH="; nocase; content:"&DADOS="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008477; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2008477; rev:2;) #by: Jeremy Conway at sudosecure.net # ref: 373b5b9e7d4d92aee575ba8b4e4549d8 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BANLOAD Downloader GET Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"mac="; uricontent:"sys="; uricontent:"yp="; uricontent:"rand="; nocase; pcre:"/mac=[0-9A-Fa-f]{12}&/Ui"; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojbanloe.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009453; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2009453; rev:2;) #by pedro marinho alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banload Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:"c=voip&ord=";nocase;uricontent:"=&SCRNSZ"; uricontent:"&BRSRSZ=";uricontent:"&TIMEZONE="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010266; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Banload.Downloader; sid:2010266; rev:2;) #by matt Jonkman, from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Basine Trojan Checkin"; flow:established,to_server; dsize:>1000; content:"|0d 0a 0d 0a|a="; content:"&b=reported"; distance:0; within:40; content:"&d=report"; distance:0; within:40; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007692; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Basine; sid:2007692; rev:3;) #by Darren Spruell alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh Communication with Controller"; flow:established,to_server; content:"GET "; depth:4; uricontent:"?type=slg&id="; nocase; pcre:"/\?type=slg&id=[0-9A-Z]{18}/U"; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_BEBLOH.KO&VSect=Td; reference:url,doc.emergingthreats.net/2009351; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh; sid:2009351; rev:3;) #by Marcus at sober.org alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh Trojan Check-in"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; content:"N="; content:"&ID="; content:"&DATA="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009520; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh; sid:2009520; rev:2;) #by jerry at cybercave alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/ff.ie?rnd="; nocase; pcre:"/\/ff\.ie\?rnd=\d+/Ui"; content:"|0d 0a 0d 0a|p="; nocase; content:"&ot="; nocase; distance:0; content:"&njeb="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010565; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bebloh; sid:2010565; rev:3;) #by deapesh misra alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET TROJAN Bifrose Connect to Controller"; flow:established,to_server; dsize:<20; content:"|09 00 00 9a|"; depth:4; content:"|cc|"; distance:3; within:4; content:"|74|"; distance:3; within:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008273; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2008273; rev:3;) alert tcp $EXTERNAL_NET 81 -> $HOME_NET any (msg:"ET TROJAN Bifrose Response from Controller"; flow:established,from_server; dsize:9; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; distance:3; within:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008274; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2008274; rev:3;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET TROJAN Bifrose Connect to Controller (variant 2)"; flow:established,to_server; dsize:<220; content:"|d2 00 00 9b|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008532; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2008532; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose Connect to Controller (PING PONG)"; flow:stateless; dsize:10; content:"PING |3a|i.|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009128; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; flowbits:set,ET.bifrose1; sid:2009128; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bifrose Response from Controller (PING PONG)"; flow:stateless; flowbits:isset,ET.bifrose1; dsize:9; content:"PONG |3a|i.|0d|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009129; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2009129; rev:3;) #by deapesh misra alert tcp $HOME_NET 81 -> $EXTERNAL_NET any (msg:"ET TROJAN Bifrose Response from victim"; flow:established,to_server; dsize:13; content:"|09 00 00 00 9a|"; depth:5; content:"|74|"; distance:7; within:8; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009797; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bifrose; sid:2009797; rev:2;) #analysis by Jose Nazario at arbor networks. Sig by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; content:"POST "; depth:5; dsize:<400; content:"|0d 0a|Cache-Control\: no-cache|0d 0a 0d 0a|id="; content:"&build_id="; distance:5; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/"; classtype:trojan-activity; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2007668; rev:4;) #by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a 0d 0a|getp="; nocase; content:"&id="; nocase; content:"&ln="; nocase; content:"&cn="; nocase; content:"&nt="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009546; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2009546; rev:2;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C (2)"; flow:to_server,established; content:"POST "; depth:5; content:"|0d 0a 0d 0a|"; content:"id="; nocase; distance:0; content:"&ln="; nocase; content:"&cn="; nocase; content:"&nt="; nocase; content:"&bid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010875; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2010875; rev:3;) #by spooker alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2.x HTTP Request with Encrypted Variables"; flow:to_server,established; content:"POST "; depth:5; uricontent:"/getcfg.php"; nocase; content:"|0d 0a 0d 0a|sksgh="; nocase; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010885; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2010885; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BlackEnergy v2.x Plugin Download Request"; flow:to_server,established; content:"POST "; depth:5; uricontent:"/getcfg.php"; nocase; content:"|0d 0a 0d 0a|"; content:"getp="; distance:0; content:"id="; content:"ln="; content:"bid="; content:"nt="; content:"cn="; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/blackenergy2/?threat=blackenergy2; reference:url,doc.emergingthreats.net/2010886; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blackenergy; sid:2010886; rev:2;) #fake search site, distributed backdoor.agent.aqr and others alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blink.com related Backdoor Checkin"; flow:established,to_server; uricontent:"/?vn="; nocase; uricontent:"&partner="; nocase; uricontent:"&ptag="; nocase; uricontent:"&b="; nocase; uricontent:"&se="; nocase; uricontent:"&au="; nocase; flowbits:set,ET.blink.get; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007805; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Blink.com related Upgrade Command Given";flowbits:isset,ET.blink.get; flow:established,from_server; content:"|0d 0a|X-Messaging\: This is an important download|0d 0a|Location\: http\://"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Blink.com; sid:2007806; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Boaxxe HTTP POST Checkin"; flow:established,to_server; uricontent:"/u/"; content:"POST "; depth:5; content:"|0d 0a|user-Agent\: Internet Explorer|0d 0a|"; content:"|0d 0a 0d 0a|a="; distance:0; content:"&b="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009297; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Boaxxe; sid:2009297; rev:2;) #this really isn't Kraken, appears to really be bobax, but reported as kraken. #These sigs are a first attempt, hopefully this will improve alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Outbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008103; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Outbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008104; rev:3;) alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Bobax/Kraken/Oderoor UDP 447 CnC Channel Initial Packet Inbound"; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008105; rev:3;) alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Bobax/Kraken/Oderoor TCP 447 CnC Channel Initial Packet Inbound"; flow:established; dsize:24; threshold:type threshold, track by_src, count 2, seconds 360; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008106; rev:3;) alert udp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Inbound"; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008107; rev:3;) alert tcp $EXTERNAL_NET 447 -> $HOME_NET 1024: (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Inbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008108; rev:3;) alert udp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor UDP 447 CnC Channel Outbound"; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008109; rev:3;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 447 (msg:"ET TROJAN Possible Bobax/Kraken/Oderoor TCP 447 CnC Channel Outbound"; flow:established; threshold:type threshold, track by_src, count 5, seconds 60; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/OdeRoor; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bobax; sid:2008110; rev:3;) # Bofra Worm #submitted by Matt Jonkman, additions by David Maciejak - Bofra Worm alert tcp $HOME_NET !$HTTP_PORTS -> $EXTERNAL_NET 1639 (msg:"ET WORM Bofra Victim Accessing Reactor Page"; flow: from_client,established; content:"GET "; nocase; content:"reactor"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.bofra.e@mm.html; reference:url,us.mcafee.com/virusInfo/default.asp?id=description&virus_k=129631; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001430; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bofra; sid: 2001430; rev:10;) #by Jeffrey Brown, re 33f56ffda981afa725d530be3d1e1cfb alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bravix Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?wmid="; uricontent:"&l="; uricontent:"&it="; uricontent:"&s="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bravix; sid:2008541; rev:2;) #by darren spruell alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredavi Configuration Update Response"; flow:established,from_server; content:"|0d 0a 0d 0a 21|new_config|0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010790; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi; sid:2010790; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredavi Checkin"; flow:established,to_server; uricontent:".php?id="; nocase; uricontent:"&ver="; nocase; uricontent:"&up="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi; sid:2010791; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredavi Proxy Registration"; flow:established,to_server; uricontent:"/socks.php?name="; nocase; uricontent:"&port="; nocase; pcre:"/\/socks\.php\?name=[^&]+&port=\d{1,5}$/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010792; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi; sid:2010792; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredavi Binary Download Request"; flow:established,to_server; uricontent:".php?id="; nocase; uricontent:"&magic="; nocase; pcre:"/\.php\?id=\d+&magic=(-)?\d+$/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010793; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredavi; sid:2010793; rev:2;) #by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Downloader Communicating With Controller (1)"; flow:established,to_server; uricontent:"action="; nocase; uricontent:"&entity_list="; nocase; uricontent:"&uid="; nocase; uricontent:"&first="; uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009353; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Downloader Communicating With Controller (2)"; flow:established,to_server; uricontent:"action="; nocase; uricontent:"&guid="; nocase; uricontent:"&rnd="; nocase; uricontent:"&uid="; nocase; uricontent:"&entity="; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009354; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009354; rev:5;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Check In"; flow:established,to_server; content:"GET "; depth:4; uricontent:"v="; uricontent:"&s="; uricontent:"&uid="; uricontent:"&p="; uricontent:"&q="; content:"User-Agent\:|0d 0a|"; classtype:trojan-activity; reference:url,www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/; reference:url,doc.emergingthreats.net/2009360; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009360; rev:5;) #by Darren Spruell alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"|0d 0a|Entity-Info|3a|"; nocase; content:"|0d 0a|Magic-Number|3a|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d+/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\|\d+/"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader\:Win32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2009388; rev:2;) # # Bredolab Infection alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hiloti/Mufanom Downloader Checkin"; flow:established,to_server; uricontent:"/get.php?c="; nocase; uricontent:"&d="; nocase; pcre:"/\/get\.php\?c=[A-Z]{8}&d=[0-9A-F]{250,}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fHiloti.gen!A; reference:url,doc.emergingthreats.net/2010071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010071; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bredolab Infection - Windows Key"; flow:established,to_server; uricontent:"?s=Windows"; nocase; uricontent:"&p="; nocase; pcre:"/\&p=[0-9A-Za-z]{5}\-[0-9A-Za-z]{5}\-/"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010072; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010072; rev:3;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Syrutrk/Gibon/Bredolab Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?ddos=x"; nocase; pcre:"/\x3Fddos\x3D(x\d{1,2}){5,}/Ui"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSyrutrk.A; reference:url,www.threatexpert.com/report.aspx?md5=a5f94577d00d0306e4ef64bad30e5d37; reference:url,www.threatexpert.com/report.aspx?md5=011d403b345672adc29846074e717865; reference:url,doc.emergingthreats.net/2010381; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010381; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?"; nocase; uricontent:"affid="; nocase; uricontent:"subid="; nocase; uricontent:"type="; nocase; uricontent:"version="; nocase; uricontent:"adware"; nocase; classtype:trojan-activity; reference:url,threatexpert.com/report.aspx?md5=8d1b47452307259f1e191e16ed23cd35; reference:url,doc.emergingthreats.net/2010382; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bredolab; sid:2010382; rev:2;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Brontok User-Agent Detected (Brontok.A3 Browser)"; flow:established,to_server; content:"User-Agent\: Brontok"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006999; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Brontok; sid:2006999; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Brontok/Joseray User-Agent Detected (Joseray.A3 Browser)"; flow:established,to_server; content:"User-Agent\: Joseray"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008765; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Brontok; sid:2008765; rev:2;) alert tcp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Buzus FTP Log Upload"; flow:established,to_server; dsize:100<>500; content:"|20 20 20 20|"; depth:4; content:"************CD-Key Pack************"; distance:0; content:"Microsoft Windows Product ID CD Key\: "; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008750; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2008750; rev:2;) #by Jaime Blasco alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Buzus Posting Data"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/fdsupdate"; content:"|0d 0a 0d 0a|PUTF"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010064; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2010064; rev:2;) #Jason aka dn1nj4 at shadowserver dot org alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Buzus Trojan Proxy Attempt"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.buzus_client; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010859; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2010859; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Buzus Proxy Server Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.buzus_client; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010860; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2010860; rev:2;) #matt jonkman, labeled logsnif, bzub2, dopip alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bzub2 Related RPC/Http Checkin"; flow:established,to_server; uricontent:"/rpc.php?a=ftp%3A%2F%2F"; nocase; uricontent:"&b="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007843; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub; sid:2007843; rev:2;) #by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Metafisher/Bzub/Cimuz/Tanspy Reporting User Activity"; flow:established,to_server; uricontent:"ver="; nocase; uricontent:"&lg="; nocase; uricontent:"&phid="; nocase; uricontent:"&r="; pcre:"/phid=[A-F0-9]{64}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009349; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Bzub; sid:2009349; rev:3;) #by William Salusky of AOL, modified to use httpinspect alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashout Proxy Bot reg_DST"; flow:to_server,established; uricontent:".php?"; uricontent:"lang="; uricontent:"&pal="; uricontent:"&bay="; uricontent:"&gold="; uricontent:"&id="; uricontent:"¶m="; uricontent: "&socksport="; uricontent:"&httpport="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008248; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cashout_Proxy; sid:2008248; rev:2;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashpoint.com Related checkin User-Agent (inetinst)"; flow:established,to_server; content:"|0d 0a|User-Agent\: inetinst|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007808; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cashpoint.com; sid:2007808; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cashpoint.com Related checkin User-Agent (okcpmgr)"; flow:established,to_server; content:"|0d 0a|User-Agent\: okcpmgr|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cashpoint.com; sid:2007810; rev:2;) #by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DownloaderExchanger/Cbeplay Variant Checkin"; flow:to_server,established; content:"POST "; depth:5; nocase; content:"|0d 0a 0d 0a|os="; nocase; content:"&ver="; nocase; distance:0; content:"&idx="; nocase; distance:0; content:"&user="; nocase; distance:0; content:"&ioctl="; nocase; distance:0; content:"&data="; distance:0; nocase; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fCbeplay.B; reference:url,www.secureworks.com/research/threats/ppi/; reference:url,doc.emergingthreats.net/2010217; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cbeplay; sid:2010217; rev:3;) #by Jeffrey Brown at synacktip alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2|7c|"; depth:10; content:"|7c|"; distance:0; content:"|7c|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d+/i"; flowbits:set,ET.cekno.initial; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008177; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cekno; sid:2008177; rev:4;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Ceckno Keepalive from Controller"; flow:established,from_server; dsize:1; content:"1"; flowbits:isset,ET.cekno.initial; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008178; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cekno; sid:2008178; rev:3;) #by Jeffrey Brown alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cinmus.Checkin 1"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?version="; nocase; uricontent:"lversion="; nocase; uricontent:"&mac="; nocase; uricontent:"&fid="; nocase; uricontent:"&vpc="; nocase; uricontent:"&run="; nocase; uricontent:"&from="; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2008623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cinmus; sid:2008623; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cinmus.Checkin 2"; flow:to_server,established; content:"GET "; depth:4; uricontent:"?fid="; nocase; uricontent:"&kid="; nocase; uricontent:"&cnt="; nocase; uricontent:"&mac="; nocase; uricontent:"&kw="; nocase; uricontent:"&from="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008624; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Cinmus; sid:2008624; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citi-bank.ru Related Trojan Checkin"; flow:established,to_server; uricontent:".php?hid=NT"; nocase; uricontent:"&wp="; nocase; uricontent:"&sp="; nocase; uricontent:"&eep="; nocase; uricontent:"&edp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008153; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Citi-bank.ru; sid:2008153; rev:2;) #by Marcus at unsober, re 68926f2883af13d6001126aae4345dab alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rootkit.Win32.Clbd.cz Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; content:"gd="; content:"=="; within:20; content:"&affid="; content:"="; within:5; content:"&subid="; content:"=="; within:5; content:"&prov="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Clbd.cz; sid:2008442; rev:3;) #by darren spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clod/Sereki Communication with C&C"; flow:established,to_server; uricontent:".php?id="; nocase; uricontent:"&cnt="; nocase; pcre:"/\.php\?id=\d+_[0-9a-f]{8}-[0-9a-f]+-[0-9a-f]{8}&cnt=/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010289; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Clod; sid:2010289; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clod/Sereki Checkin with C&C (noalert)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/chck.dat"; nocase; content:!"|0d 0a|User-Agent|3a|"; nocase; content:!"|0d 0a|Referer|3a|"; nocase; flowbits:set,ET.clod1; flowbits:noalert; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Clod; sid:2010290; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Clod/Sereki Checkin Response"; flow:established,from_server; dsize:<350; content:"|0d 0a 0d 0a|!chckOK!"; nocase; flowbits:isset,ET.clod1; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSereki.A; reference:url,www.threatexpert.com/report.aspx?md5=bbb6ac2181dbbe15efd13c294cb991fa; reference:url,www.threatexpert.com/report.aspx?md5=3c39bfc78fcf3fe805c7472296bf6319; reference:url,doc.emergingthreats.net/2010291; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Clod; sid:2010291; rev:2;) #by jeffrey brown alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Codesoft PW Stealer Email Report Outbound"; flow:established,to_server; content:"|0d 0a|Subject|3a| Codesoft PW Stealer"; content:"******STEAM PASS STEALER*******"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008310; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_CodeSoft; sid:2008310; rev:2;) #by Kevin Ross alert tcp $HOME_NET any -> 67.15.94.80 $HTTP_PORTS (msg:"ET TROJAN Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; reference:url,doc.emergingthreats.net/bin/view/Main/2008802; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2008802; rev:5;) # By RPG and Jack Pepper, modified by thierry chich and darren spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A or B Worm reporting"; flow:to_server,established; uricontent:"/search?q="; pcre:"/^\/search\?q=[0-9]{1,3}(&aq=7(\?[0-9a-f]{8})?)?$/U"; pcre:"/\x0d\x0aHost\: \d+\.\d+\.\d+\.\d+\x0d\x0a/"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2009024; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A Worm reporting"; flow:to_server,established; uricontent:"/search?q="; uricontent:"&aq="; pcre:"/\/search\?q\=\d+&aq=\d/mi"; classtype:trojan-activity; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; sid:2009114; rev:3;) #by Tillman Werner alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"ET TROJAN Conficker.a Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c1|^|8d|N|10 80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|& $HOME_NET 445 (msg:"ET TROJAN Conficker.b Shellcode"; flow:established,to_server; content:"|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4 94|& $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)"; dsize:>19; byte_test:1, &, 1, 19; threshold: type both, track by_src, count 95, seconds 50; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; reference:url,doc.emergingthreats.net/2009205; sid:2009205; rev:4;) #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)"; dsize:>19; byte_test:1, &, 4, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; reference:url,doc.emergingthreats.net/2009206; sid:2009206; rev:4;) #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)"; dsize:>19; byte_test:1, &, 5, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; reference:url,doc.emergingthreats.net/2009207; sid:2009207; rev:4;) #alert udp $HOME_NET [!1720,!1722,!2427,!5060,1024:] -> $EXTERNAL_NET [!1720,!1722,!2427,!5060,1024:] (msg:"ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)"; dsize:>19; byte_test:1, &, 16, 19; threshold: type both, track by_src, count 95, seconds 40; classtype:trojan-activity; reference:url,mtc.sri.com/Conficker/addendumC/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/TROJAN_Conficker; reference:url,doc.emergingthreats.net/2009208; sid:2009208; rev:4;) #by Daniel Clemens alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Conficker/KernelBot/MS08-067 related Trojan Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/kernel/zz.htm?"; uricontent:"Ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008737; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2008737; rev:7;) #by David Wharton alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Accept-Language HTTP Header, zh-cn, likely Kernelbot/Conficker Trojan Related"; flow:established,to_server; content:"|0d 0a|Accept-Language|3A| zh|2D|cn"; flowbits:set,ET.ms08067_header; flowbits:noalert; classtype:not-suspicious; reference:url,doc.emergingthreats.net/bin/view/Main/2008738; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2008738; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Conficker/MS08-067 Worm Traffic Outbound"; flowbits:isset,ET.ms08067_header; flow:established,to_server; content:"If-None-Match|3A| |22|60794|2D|12b3|2D|e4169440|22|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/2008739; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Conficker; sid:2008739; rev:6;) #by Philipp Bescht alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN contacy.info Trojan Checkin (User agent clk_jdfhid)"; flow:to_server,established; content:"|0d 0a|User-Agent\: clk_jdfhid|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008399; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Contacy.info; sid:2008399; rev:3;) #by Joe Stewart of Secureworks alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Coreflood/AFcore Trojan Infection"; flow:to_server; content:"POST|20|/c/a"; byte_test:1,<,64,0,relative; content:"HTTP/1.0|0d0a|Host|3a20|"; within:21; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008434; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Coreflood; sid:2008434; rev:3;) #modified version for new variants, matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Coreflood/AFcore Trojan Infection (2)"; flow:to_server; content:"POST "; depth:5; content:"HTTP/1.0|0d 0a|Host|3a 20|"; content:"|0d 0a 0d 0a|r="; content:"&i="; distance:0; content:"&v="; distance:0; content:"&os="; distance:0; content:"&s="; distance:0; content:"&h="; distance:0; content:"&d="; distance:0; content:"&panic"; distance:0; content:"&ie=&"; distance:0; content:"input="; distance:0; content:"&c="; distance:0; classtype:trojan-activity; reference:url,www.secureworks.com/research/threats/coreflood; reference:url,doc.emergingthreats.net/2008443; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Coreflood; sid:2008443; rev:2;) # Submitted 2008-06-26 by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder.Q Data Posting"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/upload"; nocase; uricontent:"file="; nocase; uricontent:"&id="; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/VIRUS_Coreflood; sid:2008352; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder.Q C&C Checkin"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/a?"; nocase; content:"|0d 0a 0d 0a|wg="; nocase; content:"&cn="; nocase; content:"&i="; nocase; content:"&panic="; nocase; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FCOREFLOOD%2EQ; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008353; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/VIRUS_Coreflood; sid:2008353; rev:4;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/index.php"; nocase; content:"|0d 0a 0d 0a|r="; content:"&i="; distance:0; content:"&v="; distance:0; content:"&os="; distance:0; content:"&panic="; distance:0; content:"&input="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009287; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/TROJAN/VIRUS_Coreflood; sid:2009287; rev:1;) #by matt jonkman, Proxy.Corpes.j 0fe727c2779b6891697db8f768b6d34b alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Proxy.Corpes.j Infection Report"; flow:established,to_server; uricontent:".php?tma="; uricontent:"&mode="; pcre:"/mode=\d+D[0-9A-F]{150}/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008144; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Corpes; sid:2008144; rev:3;) #by Jeffrey Brown, re 35546d9972aed2a5fec2c4e1136730a3 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Crypt.nc Checkin"; flow:to_server,established; uricontent:".php?l="; uricontent:"&d="; uricontent:"&ver="; uricontent:"&rvz1="; uricontent:"&rvz2="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008567; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Crypt; sid:2008567; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Crypt.CFI.Gen Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|User-Agent\: BIE|0d 0a|"; content:"|0d 0a 0d 0a|cname="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009204; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Crypt; sid:2009204; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DMSpammer HTTP Post Checkin (1)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/stat1.php"; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; Synapse)|0d 0a|"; content:"|0d 0a 0d 0a|x|9c|"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008271; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DMSpammer; sid:2008271; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DMSpammer HTTP Post Checkin (2)"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/stat2.php"; content:"|0d 0a|User-Agent\: Mozilla/4.0 (compatible\; Synapse)|0d 0a|"; content:"|0d 0a 0d 0a|x|9c|"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008272; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DMSpammer; sid:2008272; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNS Changer HTTP Post Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|x="; content:!"|0d 0a|User-Agent\: "; pcre:"/x=[0-9a-zA-Z]{50}/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008263; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008263; rev:3;) #By pedromarinho and matt jonkman. #Downloader.Agent.bnm and dnschange.bnm, etc alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start"; flow:established,to_server; dsize:8; content:"|0b 01 00 00 00 00 00 00|"; classtype:trojan-activity; flowbits:noalert; flowbits:set,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008805; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008805; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm CnC Channel Start Response"; flow:established,from_server; dsize:4; content:"|0b 01|"; depth:2; content:"|00|"; distance:1; within:1; classtype:trojan-activity; flowbits:isset,ET.dlbnm1; reference:url,doc.emergingthreats.net/2008806; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008806; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Start"; flow:established,to_server; dsize:32; content:"|00 00 00 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008807; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008807; rev:3;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN DNS Changer.bnm/Downloader.bnm Second CnC Channel Traffic"; flow:established,to_server; dsize:32; content:"|55 d8 09 00 c0 a8 01 1e 67 00 00 00 00|"; depth:13; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008808; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008808; rev:3;) #by matt jonkman, re 94ff9b9a3b40c3f21e4fac3a7712b6a6 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN DNSChanger.AT or related Infection Checkin Post"; flow:established,to_server; content:"POST /cgi-bin/generator HTTP/1.0|0d 0a|Content-Length\: "; depth:50; content:"|0d 0a 0d 0a|"; within:10; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008940; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_DNS_Changer; sid:2008940; rev:3;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daemonize.ft HTTP Checkin"; flow:established,to_server; uricontent:".php?v="; nocase; uricontent:"&rnd="; nocase; uricontent:"&u=00"; nocase; uricontent:"&s="; nocase; uricontent:"&id="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008086; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Daemonize; sid:2008086; rev:2;) #by darren spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Daonol C&C Communication"; flow:established,to_server; uricontent:"/x/?0"; nocase; content:"|0d 0a|SS|3a|"; nocase; content:"|0d 0a|Xost|3a|"; nocase; pcre:"/\/x\/\?0\w{35}$/U"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fDaonol; reference:url,blog.fireeye.com/research/2009/10/gumblar-not-gumby.html; reference:url,www.iss.net/threats/gumblar.html; reference:url,blog.scansafe.com/journal/2009/10/15/gumblar-website-botnet-awakes.html; reference:url,doc.emergingthreats.net/2010164; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Daonol; sid:2010164; rev:3;) #Matt Jonkman # This thing send out an email to it's owner with stats and such. This ought to catch it.. alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Maquina.."; nocase; content:"Vers|e3|o do Windows"; nocase; content:"Microsoft Windows"; nocase; content:"Mac Address.."; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002976; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2002976; rev:7;) #another variant alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 2 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Nome Computador\: "; nocase; content:"Data\: "; nocase; content:"Windows\: Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002978; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2002978; rev:4;) #Yet another alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 3 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Subject\: INFECT - "; nocase; content:"Data\: "; nocase; content:"Windows\: Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002980; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2002980; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Banker.Delf Infection variant 4 - Sending Initial Email to Owner"; flow:established,to_server; content:"X-Library\: Indy 9"; nocase; content:"Maquina"; nocase; content:"IP"; nocase; content:"Hora"; nocase; content:"Data"; nocase; content:"Microsoft Windows "; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2002981; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2002981; rev:3;) #from sandnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Varlok_11000)"; flow:established,to_server; content:"User-Agent\: Varlok_"; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003931; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2003931; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Ms)"; flow:established,to_server; content:"User-Agent\: Ms|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2003933; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2003933; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (hhh)"; flow:established,to_server; content:"User-Agent\: hhh"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2004442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2004442; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (Mz)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Mz|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007594; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (MzApp)"; flow:established,to_server; content:"|0d 0a|User-Agent\: MzApp|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/section/details/id_vir/1836/tr_banker.delf.df735649.html; reference:url,doc.emergingthreats.net/2007594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2009988; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Banker.Delf User-Agent (WINDOWS_LOADS)"; flow:established,to_server; content:"User-Agent\: WINDOWS_LOADS"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007699; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007699; rev:3;) #yet another c&c method, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf HTTP Checkin (1)"; flow:established,to_server; uricontent:"/mydown.asp?"; nocase; uricontent:"reg="; nocase; uricontent:"&ver="; nocase; uricontent:"&tgid="; nocase; uricontent:"&address="; nocase; uricontent:"&mydo="; nocase; uricontent:"&flag="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007838; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007838; rev:2;) #delf keylog upload, kinda flimsy but works alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Delf Keylog FTP Upload"; flow:established,to_server; content:"STOR "; depth:5; content:" Keylogger ["; nocase; distance:5; within:50; content:"].txt|0d 0a|"; nocase; distance:5; within:40; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007858; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007858; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf HTTP Post Checkin (1)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a|Content-type\: image/gif|0d 0a 0d 0a|x|da|"; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007867; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007867; rev:2;) #by Victor Julien alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Download via HTTP"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/mdfexcute/"; content:"Windows 98)"; depth:200; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007911; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007911; rev:2;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Delf/Hupigon C&C Channel Version Report"; flow:established,to_server; dsize:<25; content:"VERSON\:"; depth:7; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007930; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007930; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (up)"; flow:established,to_server; uricontent:"/up.html?"; nocase; uricontent:"set="; nocase; uricontent:"&pid="; nocase; uricontent:"&MAC="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007939; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2007939; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (5)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a|email="; nocase; content:"&computador="; nocase; distance:0; content:"&nomfile="; nocase; distance:0; content:"&user="; nocase; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008044; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008044; rev:2;) #by matt jonkman #re sample 41c62970ea34413c4011b220724bf029 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Delf CnC Channel Packet 1"; flowbits:isnotset,ET.unk.1; flow:established,to_server; dsize:<200; content:"|8e 00 d0 00|"; depth:4; flowbits:set,ET.unk.1; flowbits:noalert; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008006; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008006; rev:6;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Delf CnC Channel Packet 1 reply"; flowbits:isset,ET.unk.1; flow:established,from_server; dsize:<15; content:"|05 00 00 00|"; depth:4; flowbits:set,ET.unk.2; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008007; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008007; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Delf CnC Channel Checkin Replies"; flowbits:isset,ET.unk.2; flow:established,to_server; dsize:<20; content:"|09 00 00 00|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008008; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008008; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Delf CnC Channel Keepalive Pong"; flow:established,to_server; dsize:<40; content:"|20 00 00 00 f8 4d b2 77|"; depth:8; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008009; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008009; rev:5;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Delf CnC Channel Keepalive Ping"; flow:established,from_server; dsize:22; content:"|12 00 00 00 1c 5e|"; depth:6; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008010; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008010; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (6)"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?v="; nocase; uricontent:"&u="; nocase; uricontent:"&t="; nocase; uricontent:"&p="; nocase; uricontent:"&=w"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008071; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008071; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (7)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php?macros="; nocase; uricontent:"&botstatus="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008090; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008090; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)"; content:"|0d 0a 0d 0a|name="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008268; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008268; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Key Checkin (Clicker.Win32.Delf.afl)"; flow:established,to_server; uricontent:".php?key=???????+????????????"; uricontent:"+Dial-up+??????+?+??????????????"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008666; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008666; rev:2;) #victor julien # Ikarus: Trojan.Delf-5496, # re 462ee0f70fae7e7f29e546069e43484e alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 Checkin Error"; flow:established,to_server; dsize:350<>450; content:"Erorr File active\;sorry file erorr plaes down file agen"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008905; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008905; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 Egg Request"; flow:established,to_server; dsize:<35; content:"|7c|CreateForm|7c|FileTransfer|7c|"; depth:29; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008906; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008906; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 File Manager Access Report"; flow:established,to_server; dsize:<35; content:"|7c|CreateForm|7c|FileManager|7c|"; depth:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008907; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008907; rev:2;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Trojan.Delf-5496 New Infection Report"; flow:established,to_server; dsize:<500; content:"|7c|OnConnect|7c|New Server|7c|"; depth:29; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008908; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; sid:2008908; rev:2;) # by: Jeremy Conway at sudosecure.net #ref: d253db84a6d08dbeec6426c4c4d212a6 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Delf followon POST Data PUSH Packet"; flow:established,to_server; content:"tip="; depth:4; nocase; content:"&cli="; nocase; content:"&tipo="; nocase; reference:url,www.threatexpert.com/threats/trojan-downloader-win32-delf.html; reference:url,doc.emergingthreats.net/2009824; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delf; classtype:trojan-activity; sid:2009824; rev:4;) #by sjirkdog #re 146244b0d5cce3d21719ad94d650a82f #traffic was on port 2009 in sample, since it is a new year. Maybe use it as the source alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"|05 00 00 00|"; depth:4; content:"|cd|"; distance:4; within:1; classtype:trojan-activity; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Delfsnif; sid:2009079; rev:2;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Densmail.com Related Trojan Checkin"; flow:established,to_server; uricontent:"/cc.php"; nocase; uricontent:"v="; nocase; uricontent:"&rnd="; nocase; pcre:"/v=\d+&rnd=\d+/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007822; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Densmail.com; sid:2007822; rev:2;) #By Scott Melnick alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer"; flow: established,to_server; uricontent:"/getnumtemp.asp?nip=0"; nocase; reference:url,isc.sans.org/diary.php?storyid=1388; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003083; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2003083; rev:3;) #Matt Jonkman from snadnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer-715 Install Checkin"; flow: established,to_server; uricontent:"/perl/invoc_oneway.pl"; nocase; uricontent:"?id_service="; nocase; uricontent:"&nom_exe="; nocase; uricontent:"&skin="; nocase; uricontent:"&id_produit="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003650; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2003650; rev:3;) #by Scott Melnick from sandnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer-967 User-Agent"; flow:to_server,established; content:"User-Agent\: del|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2006364; rev:3;) #matt jonkman from sandnet data, updated by darren spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Nebuler/Dialer.qn HTTP Request - Checkin"; flow:established,to_server; uricontent:".php?"; uricontent:"c="; uricontent:"&v="; uricontent:"&b="; uricontent:"&id="; uricontent:"&cnt="; uricontent:"&q="; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-051916-2518-99&tabid=2; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Trojan%3aWin32%2fNebuler.gen!D; reference:url,www.threatexpert.com/report.aspx?md5=e9f1f226ff86e72c558e9a9da32c796d; reference:url,doc.emergingthreats.net/2007743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2007743; rev:4;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.MC(vf) HTTP Request - Checkin"; flow:established,to_server; uricontent:".php?"; uricontent:"mode="; uricontent:"&PartID="; uricontent:"&mac="; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; Indy Library)|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007913; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2007913; rev:2;) #by Deapesh Misra alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.Trojan Activity"; flow: to_server,established; uricontent:"/dialer_min/getnum.asp?nip"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008345; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2008345; rev:2;) #by jholguin alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Dialer.buv Sending Information Home"; flow:established,to_server; uricontent:"/exit.php?if="; nocase; content:"&cl="; content:"&id="; content:"&ov="; content:"&site="; content:"&tk="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008430; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2008430; rev:2;) #by Marcus at unsober alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32 Dialer Variant"; flow:established,to_server; content:"GET "; depth:4; uricontent:"icp="; uricontent:"&id_site="; uricontent:"&dl_tracker"; uricontent:"&connection_type="; uricontent:"&asked_mdl_id="; uricontent:"&dialer="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008441; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2008441; rev:3;) #by pedro marinho #143fd8452113d6feb651ea89bb5f3e50 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dialer.Win32.E-Group.n Checkin"; flow:to_server,established; uricontent:"login="; nocase; uricontent:"&brokerid="; nocase; uricontent:"&extlogin="; nocase; uricontent:"&autosize="; nocase; uricontent:"&icp="; nocase; uricontent:"&id_site="; nocase; uricontent:"&dl_tracker="; nocase; uricontent:"&connection_type="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008490; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2008490; rev:4;) #by pedro and jerry alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32 Dialer Variant checkin (id_site)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"icp="; uricontent:"&id_site="; uricontent:"&dl_tracker"; uricontent:"&connection_type="; uricontent:"&asked_mdl_id="; uricontent:"&dialer="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010603; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2010603; rev:1;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper Checkin (often scripts.dlv4.com related)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/Common/module.php?"; nocase; uricontent:"brokerid="; nocase; uricontent:"&product="; nocase; uricontent:"&customid="; nocase; uricontent:"&mediaid="; nocase; uricontent:"&no_product_name="; nocase; uricontent:"&extlogin="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2010458; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper Checkin 2 (often scripts.dlv4.com related)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/Common/module.php?"; nocase; uricontent:"&isautogeneratedpage="; nocase; uricontent:"&dialer="; nocase; uricontent:"&p2e="; nocase; uricontent:"&nohit="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dialers; sid:2010932; rev:1;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Diazom Trojan User-Agent in Use (cv_v2.0.1)"; flow:established,to_server; content:"User-agent\: cv_v"; classtype:trojan-activity; reference:url,ww.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-032316-0426-99&tabid=2; reference:url,doc.emergingthreats.net/2003598; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Diazom; sid:2003598; rev:3;) #this is similar to 2008942, but this trojan doesn't add a host header #by victor julien alert tcp $HOME_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN dlink router access attempt"; flow:established,to_server; content:"GET /dlink/hwiz.html HTTP/1.0|0d 0a 0d 0a|"; depth:33; content:!"|0d 0a|Host\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008945; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dlink_Home_Router_Access; sid:2008945; rev:3;) #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Donbot Connect to CnC"; flow:established,to_server; dsize:7; content:"HALLO|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008450; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Donbot; sid:2008450; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Donbot Report to CnC"; flow:established,to_server; content:"HASH|3a 20|"; depth:6; content:"|0d 0a|ID|3a 20|"; distance:0; content:"|0d 0a|Session|31 20|"; distance:0; content:"|0d 0a|RBL|3a 20|"; reference:url,blog.fireeye.com/research/2009/10/a-little_more_on_donbot.html; reference:url,www.avertlabs.com/research/blog/index.php/2009/04/05/donbot-joining-the-club-of-million-dollar-botnets/; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Buzus; sid:2008451; rev:3;) # by: Jeremy Conway at sudosecure.net # ref: 703432baec9fbd9ffed5fa2af0510166 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader (Win32.Doneltart) Checkin - HTTP GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?open="; nocase; uricontent:"&myid="; nocase; content:!"|0d 0a|User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009814; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Doneltart; sid:2009814; rev:2;) #by Marcus at unsober alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Donkeyp2p Update Detected"; flow:established,to_server; content:"GET "; depth:4; uricontent:"donkeyp2p.php"; uricontent:"?kind="; uricontent:"&args="; uricontent:"&ver="; uricontent:"&uniq="; uricontent:"&dllver="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008364; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Donkeyp2p; sid:2008364; rev:2;) #by matt jonkman #slso called Trojan.Dropper.RRM and Trojan.Win32.Inject.adt alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dorf/Win32.Inject.adt C&C Communication Outbound"; flow:established,to_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dorf; sid:2008031; rev:3;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dorf/Win32.Inject.adt C&C Communication Inbound"; flow:established,from_server; dsize:16; content:"1SCD|00 00|"; depth:6; offset:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dorf; sid:2008032; rev:3;) #by derran spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dosenjo/Kvadr Proxy Trojan Activity"; flow:established,to_server; uricontent:"hingDeny="; nocase; uricontent:"&id="; nocase; pcre:"/\?ca[sc]hingDeny=[0-9A-Za-z]{16}&/U"; classtype:trojan-activity; reference:url,www.f-secure.com/v-descs/trojan-proxy_w32_kvadr_gen!a.shtml; reference:url,www.threatexpert.com/report.aspx?md5=fd2d6bb1d2a9803c49f1e175d558a934; reference:url,www.threatexpert.com/report.aspx?md5=e4664144f8e95cfec510d5efa24a35e7; reference:url,doc.emergingthreats.net/2010334; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dosenjo; sid:2010334; rev:2;) #Matt Jonkman, thanks to the Clam guys for the information and sample alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-1355 Checking In"; flow:established,to_server; uricontent:"/adload.php?a1="; nocase; uricontent:"a3="; nocase; uricontent:"&a4="; nocase; uricontent:"&a5="; nocase; content:!"User-Agent\:"; content:"Host\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003408; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader-1355; sid:2003408; rev:3;) # by axn jxn alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader-5265/Torpig/Anserin/Sinowal Unique UA (MSID [...)"; flow:established,to_server; content:"User-Agent\: MSID ["; nocase; depth:320; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003590; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader-5265; sid:2003590; rev:5;) #by Matt Jonkman #from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Dluca HTTP Checkin"; flow:established,to_server; uricontent:"?id={"; nocase; uricontent:"&srv="; nocase; uricontent:"&ver="; nocase; uricontent:"&docid="; nocase; uricontent:"&time="; nocase; uricontent:"&cstate="; nocase; uricontent:"&state="; nocase; uricontent:"&flash="; nocase; uricontent:"&pin="; nocase; uricontent:"&OSInfo2="; nocase; uricontent:"&cinfo="; nocase; uricontent:"&smd="; nocase; uricontent:"&rts="; nocase; uricontent:"&retryattempt="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007595; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader.Dluca; sid:2007595; rev:4;) #Sigs for general downloader trojans and worms. Not all get unique names #by Matt Jonkman. Saw a downloader appending ver7 to the end of a regular UA. No spaces. very unique alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"|0d 0a|User-Agent\: "; nocase; content:")ver"; within:100; pcre:"/User-Agent\:[^\n]+\)ver\d/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003380; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003380; rev:5;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Small 5ser Agent Detected (NetScafe)"; flow:established,to_server; content:"|0d 0a|User-Agent\: NetScafe"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003641; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003641; rev:4;) #Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Microsoft URL Control -"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003646; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Irc.MFV User Agent Detected (IRC-U)"; flow:established,to_server; content:"|0d 0a|User-Agent\: IRC-U v"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003647; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003647; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Clicker.BC User Agent Detected (linkrunner)"; flow:established,to_server; content:"|0d 0a|User-Agent\: linkrunner"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003648; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2003648; rev:4;) #generic downloader and bot checkin url, found in Backdoor.Win32.Small.or alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bot Backdoor Checkin/registration Request"; flow:established,to_server; uricontent:"/remote.php?"; nocase; uricontent:"os="; nocase; uricontent:"&user="; nocase; uricontent:"&status="; nocase; uricontent:"&version="; nocase; uricontent:"&build="; nocase; uricontent:"&uptime="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006366; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2006366; rev:4;) #by Scott Melnick and Andre alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.bwr"; flow:established,to_server; uricontent:"?m="; nocase; uricontent:"&a="; nocase; uricontent:"&hdd="; nocase; uricontent:"&os="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006377; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2006377; rev:3;) #from sandnet analysis, by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Matcash or related downloader User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent\: x"; pcre:"/User-Agent\: x\w\wx\w\w\!x\w\wx\w\wx\w\w/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006382; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2006382; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader User-Agent Detected (Windows Updates Manager|3.12|...)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Windows Updates Manager|7c|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006387; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2006387; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader User-Agent Detected (ld)"; flow:established,to_server; content:"|0d 0a|User-Agent\: ld|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006394; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2006394; rev:4;) #sandnet analysis, by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.26001 Url Pattern Detected"; flow:established,to_server; uricontent:"install.php?"; nocase; uricontent:"wall_id="; nocase; uricontent:"&maddr=0"; nocase; uricontent:"&action="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006400; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2006400; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.26001 Url Pattern Detected (lunch_id)"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"aff_id="; nocase; uricontent:"lunch_id="; nocase; uricontent:"&maddr=0"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006401; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2006401; rev:3;) #from sandnet data, by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; uricontent:"/ping/"; nocase; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]+/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007284; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007284; rev:3;) #matt jonkman, from sandnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader Checkin URL (GUID+)"; flow:established,to_server; uricontent:"&version="; nocase; uricontent:"&configversion="; nocase; uricontent:"GUID="; nocase; uricontent:"&cmd="; nocase; uricontent:"&p="; nocase; uricontent:"&i="; nocase; uricontent:"&x="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007577; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007577; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader or Virut C&C Ack"; flow:established,to_server; uricontent:"uid="; nocase; uricontent:"&version="; nocase; uricontent:"&actionname="; nocase; uricontent:"&action="; nocase; uricontent:"&success="; nocase; uricontent:"&debug="; nocase; uricontent:"&nocache="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007587; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007587; rev:3;) #Matt Jonkman, from the sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Matcash related Trojan Downloader (Ismazo Advanced Loader)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Ismazo"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007633; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007633; rev:5;) #Matt Jonkman, Trojan-Downloader.Win32.Small.hkp alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Downloader.Win32.Small.hkp Checkin via HTTP"; flow:established,to_server; dsize:96; content:"GET /"; depth:5; pcre:"/\/[0-9a-f]{78}\sHTTP/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007755; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007755; rev:3;) # By Jeremy Conway - Possible root kit user agent alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN User-agent DownloadNetFile Win32.small.hsh downloader"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent|3A| DownloadNetFile|0D 0A|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007778; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007778; rev:7;) # By Jeremy Conway alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Browser HiJacker/Infostealer Stat file"; flow:established,to_server; content:"|5B00|u|00|p|00|d|00|a|00|t|00|e|005D|"; nocase; content:"v|00|e|00|r|00|="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007777; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007777; rev:3;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader General Bot Checking In via HTTP Post (bot_id push)"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|bot_id="; content:"&build_id="; distance:0; content:"&sport="; distance:0; content:"&hport="; distance:0; content:"&ping="; distance:0; content:"&speed="; distance:0; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007831; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007831; rev:2;) #matt jonkman, sample marked Trojan-Downloader.Win32.Small.htz by fsecure alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader General Bot Checking In - Possible Win32.Small.htz related"; flow:established,to_server; content:"POST "; depth:5; uricontent:"?id="; nocase; content:!"|0d 0a|User-Agent\: "; content:"|0d 0a 0d 0a|proc=[System Process]|0d 0a|"; content:"|0d 0a|&size="; distance:0; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007836; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007836; rev:2;) #Matt Jonkman, Kaspersky Trojan-Proxy.Win32.Agent.ty alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (WinInet)"; flow:established,to_server; content:"|0d 0a|User-Agent\: WinInet|0d 0a|"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007837; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007837; rev:2;) #Matt Jonkman, Kaspersky Trojan-Proxy.Win32.Agent.blm alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Shell)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Shell|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007840; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007840; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (-)"; flow:established,to_server; content:"|0d 0a|User-Agent\: -|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007880; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007880; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (--)"; flow:established,to_server; content:"|0d 0a|User-Agent\: --|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009352; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009352; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan-Dropper.Win32.Agent.eut (Yhrbg)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Yhrbg|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007912; rev:2;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (Digital)"; flow:established,to_server; content:"|0d 0a|User-Agent\: Digital|0d 0a|"; nocase; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2007923; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007923; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (downloaded)"; flow:established,to_server; content:"|0d 0a|User-Agent\: downloaded|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007924; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007924; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (wnames)"; flow:established,to_server; content:"|0d 0a|User-Agent\: wnames|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007925; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007925; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (cv_v5.0.0)"; flow:established,to_server; content:"|0d 0a|User-Agent\: cv_v"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007926; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007926; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Checkin"; flow:established,to_server; uricontent:"/boot.php/boot.php?"; nocase; uricontent:"partner="; nocase; uricontent:"&mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007952; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007952; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Install Report"; flow:established,to_server; uricontent:"/install.php?"; nocase; uricontent:"partner="; nocase; uricontent:"&mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007953; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007953; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.49651 Online Report"; flow:established,to_server; uricontent:"/up.html?"; nocase; uricontent:"set="; nocase; uricontent:"pid="; nocase; uricontent:"&mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007954; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007954; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cygo Checkin"; flow:established,to_server; uricontent:"/count.php?"; nocase; uricontent:"type="; nocase; uricontent:"partner="; nocase; uricontent:"&mac="; nocase; uricontent:"ver="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007955; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007955; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Trojan Checkin"; flow:established,to_server; uricontent:".php?pid="; nocase; uricontent:"mac="; nocase; uricontent:"&amd="; nocase; uricontent:"&win64="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007975; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2007975; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (https)"; flow:established,to_server; content:"|0d 0a|User-Agent\: https|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008019; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008019; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader URL Pattern (/loader/setup.php)"; flow:established,to_server; uricontent:"/loader/setup.php?id="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008076; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008076; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.CEJ HTTP Checkin"; flow:established,to_server; uricontent:"/down"; uricontent:"/down/?"; uricontent:"s="; uricontent:"&t="; uricontent:"&v="; pcre:"/\/down\d+\/down\/\?s=[A-F0-9]+\&t=\d+\/\d+\/20/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008087; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008087; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Access Count Tracking URL"; flow:established,to_server; uricontent:"/access_count.html?id="; nocase; uricontent:"&MAC=0"; nocase; pcre:"/MAC=0[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008132; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008132; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Count Tracking URL"; flow:established,to_server; uricontent:"/install_count.html?id="; nocase; uricontent:"&MAC=0"; nocase; pcre:"/MAC=0[a-f0-9]-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008133; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008133; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Count Tracking URL (partner)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/partner/counter/install.php?pid="; nocase; uricontent:"&cid="; nocase; content:!"|0d 0a|User-Agent\: "; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008134; reference:url,www.threatexpert.com/report.aspx?md5=ea70e0971cc490a15e53d24ad6564403; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008134; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL"; flow:established,to_server; content:"GET "; depth:4; uricontent:"a="; nocase; uricontent:"&k="; nocase; uricontent:"&wmid="; nocase; uricontent:"&ucid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008182; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008182; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (pid - mac)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"html?"; nocase; uricontent:"set="; nocase; uricontent:"&pid="; nocase; uricontent:"&mac="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008183; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008183; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (wmid - ucid)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"?a="; nocase; uricontent:"&k="; nocase; uricontent:"&wmid="; nocase; uricontent:"&ucid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008194; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008194; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Downloader Install Report URL (farfly checkin)"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/rpt"; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/^\/rpt\d/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008233; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008233; rev:5;) #matt jonkman, re c611990bfb445edf0bea8a63212ad43a alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Small.avu HTTP Checkin"; flow:established,to_server; uricontent:"m="; uricontent:"&a="; uricontent:"&r="; uricontent:"&os="; uricontent:"00000"; pcre:"/\/s_\d\d_\d+\?/U"; pcre:"/&os=[0-9a-z]{40}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008412; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008412; rev:2;) #ref: c698327def4db25af87de2caae512955 alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET TROJAN Downloader.Agent.ZHO CnC Commands"; flow:established,to_client; content:"|0d 0a 0d 0a|YES|0d 0a|"; offset:15; depth:10; content:"|7e 7e|"; distance:0; within:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008462; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008462; rev:2;) #Jeremy at sudosecure # ref: f43842845f8d6213dda8d8739ae8a2b9 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader UserAgent(AutoDL\/1.0)"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: AutoDL|2F|1|2E|0|0D 0A|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008458; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008458; rev:2;) #by jholguin #1982f2f77701dfb0f26f51fc7c2978f2 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Downloader.pgp Checkin"; flow:established,to_server; uricontent:"?id="; uricontent:"&e="; uricontent:"&err="; uricontent:"&c="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008492; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008492; rev:2;) #Sig by Daniel Clemens alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emo/Downloader.vr Checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"v="; uricontent:"&rs="; uricontent:"&n="; uricontent:"&uid="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008546; reference:url,www.malwaredomainlist.com/mdl.php?search=emo+&colsearch=All&quantity=50; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008546; rev:4;) #by jeremy at sudosecure # ref: c2a3a87735f8c5e11de82c52c94aefc7 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Dropper HTTP Bot grabbing config"; flow: to_server,established; uricontent:".txt"; nocase; content:"Pragma|3a| no-cache"; content:"|0d 0a|User-Agent\: "; content:"|0d 0a|"; distance:6; within:8; pcre:"/User-Agent\: \d{6}\x0d\x0a/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008664; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008664; rev:4;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader URL - Post Infection"; flow:established,to_server; uricontent:"/count.jsp?id="; uricontent:"&mac=0"; uricontent:"te="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008728; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008728; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP\:"; depth:100; content:"??IP\:"; distance:0; content:"????\:"; distance:0; pcre:"/IP\:\d[1,3]\.\d[1,3]\.\d[1,3]\.\d[1,3]/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008766; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008766; rev:2;) #by robert grabowsky alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Win32.Small.agoy Checkin"; flow:to_server,established; uricontent:"/?jutr="; nocase; uricontent:"&oo="; nocase; uricontent:"&ra="; nocase; content:"Host|3A|"; nocase; pcre:"/^Host\x3A\s+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}/mi";classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=e491d25d82f4928138a0d8b3a6365c39; reference:url,www.threatexpert.com/reports.aspx?find=%2Fjutr%2F; reference:url,doc.emergingthreats.net/2008859; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008859; rev:3;) #by Marcus at unsober.org alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Trojan Downloader"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?"; uricontent:"p="; uricontent:"&s="; uricontent:"&v="; uricontent:"uid="; uricontent:"&q="; pcre:"/\.php\?p=\d+&s=.+&v=\d+&uid=\d+&q=/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009299; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009299; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 06ace2b012d13f7542bf7f01955b0162 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Trojan HTTP GET Logging"; flow:established,to_server; content:"GET "; depth:4; uricontent:"?type="; nocase; uricontent:"&setup_id="; nocase; uricontent:"&version="; nocase; uricontent:"&os="; nocase; uricontent:"&sp="; nocase; reference:url,www.virustotal.com/analisis/df09ec9ec4e5caa42db9d08e0f9d34b378e301a1eeb3aa1e6dbd0de1aa4a66be-1246158969; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009451; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009451; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: bfb38bcac71f7b0430c3445bc2997e4b alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Checkin - Downloads Rogue Adware "; flow:established,to_server; content:"GET "; depth:4; uricontent:"AreaID="; nocase; uricontent:"MediaID="; nocase; uricontent:"AdNo="; nocase; uricontent:"OriginalityID="; nocase; uricontent:"Url"; nocase; uricontent:"Mac="; nocase; uricontent:"Version="; nocase; uricontent:"ValidateCode="; nocase; uricontent:"ParentName="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009526; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009526; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: b19d04dca79aad2513e5f90efef3a6b4 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader Checkin - HTTP GET "; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?"; nocase; uricontent:"machineid="; nocase; uricontent:"pubuserid="; nocase; uricontent:"checkversion="; nocase; content:!"|0d 0a|User-Agent\:"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009527; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009527; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 9c93ea44074055aaf22fb56bdec375c5 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader - HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|Content-Length\: 0|0d 0a|"; nocase; uricontent:"mac="; nocase; uricontent:"key="; uricontent:"ver="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009549; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009549; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 1c97be2e53458bf2367915fc40a51333 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent filled with System Details - GET Request";flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: mac="; nocase; depth:200; content:"&hdid="; nocase; distance:17; within:6; content:"&wlid="; nocase; content:"&start="; nocase; content:"&os="; nocase; content:"&mem="; nocase; content:"&alive"; nocase; content:"&ver="; nocase; content:"&mode="; nocase; content:"&guid"; content:"&install="; nocase; content:"&auto="; nocase; content:"&serveid"; nocase; content:"&area="; nocase; depth:400; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009541; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009541; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 0f79f76f0ea1d53690ed916142f94083 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader Check-in"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"htm?mac="; nocase; uricontent:"&os="; nocase; uricontent:"&ver="; nocase; uricontent:"&id="; pcre:"/\?mac=[0-9]*&os=[a-z]*&ver=[0-9]{8}&id=[0-9\.]*/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009704; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009704; rev:2;) # by: Jeremy Conway at sudosecure.net #ref: 59c9112d9d39c3051f0c6ae1dd499d97 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Generic - GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?mode="; nocase; uricontent:"&port="; nocase; uricontent:"&id="; nocase; uricontent:"<ime="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009803; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2009803; rev:2;) #by jerry alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan Downloader Win32/Small.CBA download"; flow:established,to_server; uricontent:"popjs.asp?uid="; nocase; uricontent:"&tid=";nocase; uricontent:"&l="; nocase; uricontent:"&c="; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FSmall.CBA&ThreatID=-2147372177; reference:url,doc.emergingthreats.net/2010569; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; classtype:trojan-activity; sid:2010569; rev:3;) # by: Jeremy Conway at sudosecure.net #ref: 0ef0a8a7444bf9c0b0c05209e8b33994 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Screenblaze SCR Related Backdoor - GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?id="; nocase; uricontent:"&serial="; nocase; uricontent:"ver="; nocase; content:"|0d 0a|User-Agent\: WinInetHTTP|0d 0a|"; nocase; classtype:trojan-activity; reference:url,vil.nai.com/vil/content/v_156782.htm; reference:url,www.spywaredetector.net/spyware_encyclopedia/Backdoor.Prosti.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207702#none; reference:url,www.threatexpert.com/report.aspx?md5=0bcdc9c2e2102f36f594b9e727dae3c7; reference:url,doc.emergingthreats.net/2009804; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_ScreenBlaze; sid:2009804; rev:2;) #Matt Jonkman, found in the sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tear Application User-Agent Detected"; flow:established,to_server; content:"|0d 0a|User-Agent\: Tear Application|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007770; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_Tear_App; sid:2007770; rev:3;) #from the sandnet #by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Agent.cah Checkin Request"; flow:established,to_server; uricontent:"?v="; nocase; uricontent:"&mid="; nocase; uricontent:"&r1="; nocase; uricontent:"&tm=200"; nocase; uricontent:"&av="; nocase; uricontent:"&os=Windows"; nocase; uricontent:"&uid="; nocase; uricontent:"cht="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007644; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dropper.Agent.cah; sid:2007644; rev:3;) #discovered by victor julien, sigs by matt jonkman, interesting one. Uses an html-like tag language on 8181 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper-497 (Yumato) Initial Checkin"; flow:established,to_server; dsize:5; content:"|30 30 30 0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2007917; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Dropper-497 (Yumato) System Stats Report"; flow:established,to_server; content:"|00 00 00 83|"; depth:4; content:""; content:"<"; distance:0; content:""; content:"<"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2007918; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 Yumato Reply from server"; flow:established,from_server; content:"YUMATO|0d 0a|1234"; depth:12; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2007919; rev:2;) alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Dropper-497 (Yumato) Status Reply from server"; flow:established,from_server; dsize:4; content:"|32 31 0d 0a|"; depth:4; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2007920; rev:3;) #matt jonkman, Dropper.Win32.VB.on alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper.Win32.VB.on Keylog/System Info Report via HTTP"; flow:established,to_server; content:"post================================"; content:"=====|0d 0a|Resource Name "; distance:0; content:"|0d 0a|User Name/Value "; distance:0; content:"*************STEAM PASSWORDS**********"; distance:0; content:"Number of procesor\:"; distance:0; reference:url,doc.emergingthreats.net; classtype:trojan-activity; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2007987; rev:3;) #matt jonkman Dropper Win32.Small.bfq alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper mdodo.com Related Trojan"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: Mdodo"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008195; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2008195; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dropper 6dzone.com Related Trojan"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: 6dzone|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008196; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2008196; rev:2;) #by Jeffrey Brown #re 516f93578db88b9e4a32d93b3d470df3 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Dropper Checkin"; flow: to_server,established; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a 0d 0a|"; content:"f="; distance:0; content:"&a="; distance:0; content:"&v="; distance:0; content:"&c="; distance:0; content:"&s="; distance:0; content:"&l="; distance:0; content:"&ck="; distance:0; content:"&c_fb="; distance:0; content:"&c_ms="; distance:0; content:"&c_hi="; distance:0; content:"&c_be="; distance:0; content:"&c_fr="; distance:0; content:"&c_yb="; distance:0; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/a4a854e56ecc0a54204fc3b043c63094; reference:url,doc.emergingthreats.net/2009156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2009156; rev:4;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown Dropper Checkin (2)"; flow:established,to_server; content:"POST / HTTP/1.1|0d 0a|"; depth:17; content:!"|0d 0a|User-Agent\: "; nocase; content:"|0d 0a 0d 0a|updater_version="; nocase; content:"&updater_lang="; distance:0; nocase; content:"&action_type=log"; distance:0; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010830; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2010830; rev:2;) #by Jaime Blasco alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader checkin (3)"; flow:established,to_server; uricontent:".php?"; uricontent:"c_pcode="; uricontent:"c_pid="; uricontent:"c_kind="; uricontent:"c_mac="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010888; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Droppers_General; sid:2010888; rev:2;) # Submitted by Tom Fischer, 2006-01-08, updated 4/22/06 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dumador Reporting User Activity"; flow:established,to_server; uricontent:".php?p="; nocase; uricontent:"?machineid="; nocase; uricontent:"&connection="; nocase; uricontent:"&iplan="; nocase; classtype:trojan-activity; reference:url,www.norman.com/Virus/Virus_descriptions/24279/; reference:url,doc.emergingthreats.net/2002763; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Dumador; sid:2002763; rev:4;) # Submitted 4-6-07 Mark Warren alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Duntek establishing remote connection"; flow:established,to_server; uricontent:"rfe.php?"; nocase; uricontent:"cmp=dun_tekfirst"; nocase; uricontent:"guid="; nocase; classtype:trojan-activity; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-102514-0554-99; reference:url,doc.emergingthreats.net/2003537; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Duntek; sid:2003537; rev:3;) #By Don Jackson of SecureWorks # Crafted for the lowest common denominator; should work in most 1.x and later engines, PCRE used for C&C traffic. # Mostly for spotting it's use on your network. Only one DDoS rule. Be careful of the number/rate of alerts; these do not use thresholding. # DNS left in hex to avoid advertising the domains to the bad guys via google #these first few are for specific domains, to be removed in the not too distant future alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (1)"; flow:established,to_server; content:"|08616c2d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007673; rev:6;) alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (2)"; flow:established,to_server; content:"|0861312d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007674; rev:6;) alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (3)"; flow:established,to_server; content:"|0661726464726104686f737402736b0000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007675; rev:6;) alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (4)"; flow:established,to_server; content:"|03777777056a6f2d7566036e65740000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007676; rev:6;) alert tcp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity TCP (5)"; flow:established,to_server; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007677; rev:6;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (1)"; content:"|08616c2d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007678; rev:6;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (2)"; content:"|0861312d6a696e616e036e65740000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007679; rev:6;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (3)"; content:"|0661726464726104686f737402736b0000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007680; rev:6;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (4)"; content:"|03777777056a6f2d7566036e65740000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007681; rev:6;) alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN E-Jihad 3.0 DNS Activity UDP (5)"; content:"|037777770c6a6f66706d7579747276636603636f6d0000010001|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007682; rev:6;) #these are more permanent, C&C related alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 1"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tlog.php?logn="; pcre:"/GET /tlog\.php?logn=[^\s]+&pss=[^\s]+\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007683; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 2"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/ntarg.php?"; pcre:"/GET /ntarg\.php?[^\s]*(notdoing=|howme=|uname=)[^\s]*\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007684; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 HTTP Activity 3"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/tnewu.php?nlogin="; pcre:"/GET /tnewu.php?nlogin=[^\s]+&npss=[^\s]+&invitedby=[^\s]+\sHTTP/1\.[0|1]\x0D\x0A/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007685; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 DDoS HTTP Activity OUTBOUND"; flow:established,to_server; content:"GET "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Attacker|0d 0a|"; offset:14; classtype:denial-of-service; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007686; rev:6;) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET TROJAN E-Jihad 3.0 DDoS HTTP Activity INBOUND"; flow:established,to_server; content:"GET "; offset:0; depth:4; content:"|0d 0a|User-Agent\: Attacker|0d 0a|"; offset:14; classtype:denial-of-service; reference:url,doc.emergingthreats.net/bin/view/Main/EJihadHackTool; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_E-Jihad; sid:2007687; rev:7;) #by Daniel Clemens alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Likely EXE Cryptor Packed Binary - Likely Malware"; flow:from_server,established; content:"|4D 5A|"; content:"|2E 70 61 63 6B 65 64|"; within: 447; reference:url,bits.packetninjas.org; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008557; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_EXE_Cryptor_Packed; sid:2008557; rev:2;) #by Veerendra at secpod alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN Likely eCard Malware Laden Email Inbound"; flow:established,to_server; content:"|0d 0a|Subject\: You have received an eCard"; nocase; content:"e-card.zip"; nocase; classtype:trojan-activity; reference:url,www.sophos.com/blogs/gc/g/2008/10/15/you-have-not-received-an-ecard/; reference:url,doc.emergingthreats.net/2008674; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Ecard_General; sid:2008674; rev:2;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Egspy Infection Report Email"; flow:established,to_server; content:"FROM\: EgySpy Victim"; content:"TO\: EgySpy User"; distance:0; content:"SUBJECT\: E g y S p y KeyLogger"; distance:0; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008039; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Egyspy; sid:2008039; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Egspy Infection Report via HTTP"; flow:established,to_server; uricontent:"/keylogkontrol/"; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible|3b| Indy Library)"; classtype:trojan-activity; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=EgySpy&threatid=48410; reference:url,doc.emergingthreats.net/2008047; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Egyspy; sid:2008047; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Egspy Install Report via HTTP"; flow:established,to_server; uricontent:"/control.php?pcad="; nocase; uricontent:"&tarih="; nocase; uricontent:"&saat="; nocase; uricontent:"&veri="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008136; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Egyspy; sid:2008136; rev:2;) #by Matt Jonkman, from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eldorado.BHO User-Agent Detected (netcfg)"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: netcfg|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007758; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Eldorado; sid:2007758; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eldorado.BHO User-Agent Detected (MSIE 5.5)"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: MSIE 5.5|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007833; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Eldorado; sid:2007833; rev:2;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Eleonore Exploit Pack activity"; flow:established,to_server; uricontent:"?spl="; uricontent:"&br="; uricontent:"&vers="; uricontent:"&s="; pcre:"/\?spl=\d+&br=[A-Za-z]+&vers=\d\.\d&s=[a-z0-9]+[^&]$/U"; classtype:trojan-activity; reference:url,www.offensivecomputing.net/?q=node/1419; reference:url,doc.emergingthreats.net/2010248; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Eleaonore; sid:2010248; rev:2;) #by Chich Thierry alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET TROJAN elitekeylogger v1.0 reporting - Inbound"; flow:established,to_server; content:"MAIL FROM|3a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002938; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_EliteKeyLogger; sid:2002938; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN elitekeylogger v1.0 reporting - Outbound"; flow:established,to_server; content:"MAIL FROM|3a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002941; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_EliteKeyLogger; sid:2002941; rev:5;) #marcus at unsober, update by darren spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emo/Downloader.uxk checkin"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"v="; uricontent:"&id="; uricontent:"&rs="; uricontent:"&cc="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008452; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Downloader_General; sid:2008452; rev:4;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emogen Reporting via HTTP"; flow:established,to_server; uricontent:".asp?"; nocase; uricontent:"mac="; nocase; uricontent:"&name="; nocase; uricontent:"&p="; nocase; uricontent:"&id="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007986; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Emogen; sid:2007986; rev:2;) #another one. Fortinet calls it emogen, others call it a dropper alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Emogen Infection Checkin Initial Packet"; flow:established,to_server; dsize:<100; content:"|00 00 00 00 00 00|WindowsXP|00 00 00|"; flowbits:set,ET.emogen1; flowbits:noalert; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008269; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Emogen; sid:2008269; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Emogen Infection Checkin CnC Keepalive"; flow:established,to_server; flowbits:isset,ET.emogen1; dsize:4; content:"test"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008270; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Emogen; sid:2008270; rev:3;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN my247eshop.com User-Agent"; flow:established,to_server; content:"|0d 0a|User-Agent\: EShopee|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008243; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Eshop; sid:2008243; rev:2;) #from sandnet, by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ExplorerHijack Trojan HTTP Checkin"; flow:established,to_server; uricontent:"php?i="; uricontent:"&v="; uricontent:"&win=Windows"; uricontent:"&un="; uricontent:"&uv="; uricontent:"&s="; uricontent:"&onl="; uricontent:"&ip="; uricontent:"&f="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007700; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ExplorerHijack; sid:2007700; rev:3;) #moved over from corpsespyware alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN FSG Packed Binary via HTTP Inbound"; flow:from_server,established; content:"|4D 5A|"; content:"|50 45 00 00 4C 01 02 00 46 53 47 21|"; distance:10; classtype:trojan-activity; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/2002773; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_FSG_Packer; sid:2002773; rev:6;) #by Nathaniel Richmond alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue A/V Win32/FakeXPA GET Request"; flow:to_server,established; uricontent:"?campaign="; uricontent:"&country="; uricontent:"&counter="; uricontent:"&campaign="; uricontent:"&landid="; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2009209; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_FakeXPA; sid:2009209; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 4da33fd42d70397965a4e9866f57a936 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKE/ROGUE AV HTTP Post"; flow:established,to_server; content:"POST "; depth:5; content:"mid="; content:"&wv="; content:"&r="; content:"&tp="; content:"&exe="; content:"&ls="; content:"&uid="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009514; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2009514; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 8db2fc67da6106116d781d25289cb2ac #9a023ed592a1a9ae2300b73b670a6754 951ab9f79e56b65e73188288f9c5c87e #c258b4e02079e1c8c464736348e99a15 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKE/ROGUE AV - Encoded (data=) HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|Cache-Control|3a 20|no-cache|0d 0a 0d 0a|data=/CjEfcLas0KCj/"; nocase; depth:400; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009553; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2009553; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: bb3a670a8ac402be2c3b0d8f8043c3c3 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKE/ROGUE AV/Security Application Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"?url="; nocase; uricontent:"&affid="; nocase; content:"|0d 0a|User-Agent\: Mozilla/5.0 (compatible\; MSIE 6.0\; Windows XP)|0d 0a|"; nocase; pcre:"/\?url=[0-9]&affid=[0-9]{5}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009554; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2009554; rev:2;) # By Darren Spruell 2009-11-20 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake/Rogue AV Landing Page Encountered"; flow:established,to_server; uricontent:".php?land="; nocase; uricontent:"&affid="; nocase; pcre:"/\.php\?land=\d+&affid=\d{5}$/U"; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/Scareware; reference:url,doc.emergingthreats.net/2010347; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010347; rev:2;) #by evilghost and mike cox alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV FakeSmoke HTTP POST check-in"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|User-Agent\: "; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a 0d 0a|current_version="; pcre:"/current_version=[a-z0-9]{196,}/i"; classtype:trojan-activity; reference:url,isc.sans.org/diary.html?storyid=7768; reference:url,doc.emergingthreats.net/2010512; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010512; rev:4;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST "; nocase; depth:5; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a|User-Agent\: Microsoft Internet Explorer|0d 0a|"; nocase; uricontent:"loads2.php?r="; nocase; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]+/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010594; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010594; rev:2;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV HTTP GET Check-IN (/check)"; flow:established,to_server; content:"GET /check HTTP/1."; nocase; content:!"|0d 0a|Referer\: "; nocase; content:"|0d 0a|User-Agent\: Microsoft Internet Explorer|0d 0a|"; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010597; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010597; rev:2;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Landing Page (aid,sid)"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:".php?aid="; nocase; uricontent:"&sid="; nocase; pcre:"/[a-z]+\.php\?aid=\d+&sid=[a-z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.bleepingcomputer.com/forums/lofiversion/index.php/t247125.html; reference:url,doc.emergingthreats.net/2010625; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010625; rev:3;) #by packet hack alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"loads.php?code="; nocase; pcre:"/loads\.php\?code=\d+$/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010626; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010626; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/download.pl?code="; nocase; pcre:"/download\.pl\?code=\d+$/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010627; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010627; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely FakeAV/Fakeinit/FraudLoad Checkin"; flow:established,to_server; content:"GET "; nocase; depth:4; content:!"|0d 0a|Referer\: "; nocase; uricontent:"cgi-bin/get.pl?l="; nocase; pcre:"/get\.pl\?l=\d+$/Ui"; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=f5e907a11831c757a94cde9257b3574c; reference:url,doc.emergingthreats.net/2010628; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010628; rev:3;) #by packet hack alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/bbgfvdfv.php?data="; content:"POST "; depth:5; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,www.threatexpert.com/report.aspx?md5=9be07b5a190500bd905af607753f7656; reference:url,doc.emergingthreats.net/2010810; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010810; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/borders.php"; content:"POST "; depth:5; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/report.aspx?md5=7ca709f154e6abc678fbc4df8a3256b6; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,www.threatexpert.com/report.aspx?md5=ce260744bb141ac0122a61f8f58027e7; reference:url,www.threatexpert.com/report.aspx?md5=c2e1f131a0df90c0ddb5eb4cc0b9f3ab; reference:url,doc.emergingthreats.net/2010811; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010811; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAlert/FraudPack/FakeAV/Guzz/Dload/Vobfus/ZPack HTTP Post"; flow:established,to_server; uricontent:"/resolution.php"; content:"POST "; depth:5; classtype:trojan-activity; reference:url,threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_AGENT.GUZZ&VSect=T; reference:url,www.threatexpert.com/threats/trojan-fraudpack-sd6.html; reference:url,www.threatexpert.com/report.aspx?md5=ce260744bb141ac0122a61f8f58027e7; reference:url,www.threatexpert.com/report.aspx?md5=c2e1f131a0df90c0ddb5eb4cc0b9f3ab; reference:url,doc.emergingthreats.net/2010812; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010812; rev:2;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV - Downloader likely malicious payload download src=xrun)"; flow:established,to_server; content:"GET /get?src=xrun HTTP/1."; nocase; content:"|0d 0a|Request\: "; nocase; classtype:trojan-activity; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,doc.emergingthreats.net/2010831; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010831; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV Generic Download landing)"; flow:established,to_server; content:"GET "; depth:4; nocase; uricontent:"/smain?scout=acxc"; nocase; pcre:"/\/smain\?scout=acxc[a-z]{3}$/Ui"; classtype:trojan-activity; reference:url,www.bluetack.co.uk/forums/lofiversion/index.php/t18462.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; reference:url,doc.emergingthreats.net/2010832; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fake_AV; sid:2010832; rev:3;) #by kevin ross alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Fake-Rean Installer Activity (Malwareurl.com Top 30)"; flow:to_server; uricontent:"|2F|installer|2F|Installer|2E|exe"; nocase; pcre:"/[1-3]\x2Finstaller\x2FInstaller\x2Eexe/i"; classtype:trojan-activity; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/trojfakereane.html?_log_from=rss; reference:url,doc.emergingthreats.net/2010221; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fakerean; sid:2010221; rev:2;) #this sig is experimental. It appears to use a base64 encoded user-agent # it's very long, no spaces or punctuation, which is what we can key on # please report load or fp problems alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected"; flow:established,to_server; uricontent:"/rpt"; content:"|0d 0a|User-Agent\: "; content:!"|0d 0a|User-Agent\: Mozilla"; pcre:"/\x0a\x0aUser-Agent\: [a-z0-9]{92}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007646; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli; sid:2007646; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli User Agent Detected (VYG)"; flow:established,to_server; content:"|0d 0a|User-Agent\: VYG|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007658; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli; sid:2007658; rev:3;) #by Jeffrey Brown # https://sandnet.emergingthreats.net/index.php?q=10493bc6d4d6f2f0d8fe61946315dcbd alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Farfli HTTP Checkin Activity"; flow: to_server,established; uricontent:"/getmac.asp"; nocase; content:"x="; nocase; content:"&y="; nocase; content:"&z="; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-/Ui"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Farfli; sid:2009215; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: a93af8f350689c700ee3fde7442a956e alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fasec/FakeAV Alert/Keylogger/Dropper/DNSChanger Possible Rootkit - HTTP GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:"Command="; nocase; uricontent:"snNO="; nocase; uricontent:"Encode="; nocase; uricontent:"SFBH"; nocase; reference:url,www.avast.com/eng/win32-fasec.html; reference:url,www.threatexpert.com/threats/virus-win32-fasec.html; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009472; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fasec; sid:2009472; rev:2;) #by matt jonkman, from sandnet data alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Feral Checkin via HTTP"; flow:established,to_server; uricontent:"?ucid="; nocase; uricontent:"&wmid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007286; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Feral; sid:2007286; rev:3;) #by Marcus at unsober alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FraudLoad.aww HTTP CnC Post"; flow:established,to_server; content:"POST "; depth:5; uricontent:"/instlog/?"; nocase; content:"|0d 0a|User-Agent|3a| Mozilla/3.0 (compatible\; TALWinInetHTTPClient"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008322; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fraudload; sid:2008322; rev:4;) # by: Jeremy Conway at sudosecure.net # ref: 3f778132d4d30bd0db897adfdae1f74e alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FAKE AV HTTP CnC Post"; flow:established,to_server; content:"POST "; depth:5; content:"action="; nocase; content:"uid="; nocase; within:10; content:"cnt="; nocase; content:"lng="; nocase; content:"type="; nocase; within:10; content:"user_id="; nocase; content:"pc_id="; nocase; content:"abbr="; nocase; content:"|0d 0a|User-Agent\: Mozilla/3.0 (compatible\; TALWinInetHTTPClient)"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009455; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fraudload; sid:2009455; rev:2;) # by: Jeremy Conway at sudosecure.net # ref: 3f68543ffe8862c57bebfb8732a1e716 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fraudload/FakeAlert/FakeVimes Downloader - POST"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"|0d 0a|User-Agent|3a| Mozilla|2f|3.0 |28|compatible|3b|TALWinInetHTTPClient|29 0d 0a|"; nocase; content:"|0d 0a 0d 0a|verint="; nocase; content:"&wv="; nocase; within:10; content:"&report="; nocase; within:20; content:"&abbr="; nocase; content:"&pid="; classtype:trojan-activity; reference:url,www.pctools.com/mrc/infections/id/Trojan-Downloader.FraudLoad/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan-Downloader.FraudLoad; reference:url,doc.emergingthreats.net/2009751; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fraudload; sid:2009751; rev:3;) #by Philipp Bescht alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fullspace.cc or Related Checkin (1)"; flow:established,to_server; uricontent:"/config.php?ver="; nocase; uricontent:"&uid="; nocase; uricontent:"&action="; nocase; uricontent:"&ras="; nocase; uricontent:"&verfull="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008397; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fullspace.cc; sid:2008397; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fullspace.cc or Related Checkin (2)"; flow:established,to_server; uricontent:"/register."; nocase; uricontent:"?id="; nocase; uricontent:"&port="; nocase; uricontent:"&connect="; nocase; uricontent:"&ver="; nocase; uricontent:"ip="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008398; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Fullspace.cc; sid:2008398; rev:2;) #by marcus at unsober #re: db3084220f85632b0eade6c759918ee6 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gaboc Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".asp"; uricontent:"?type="; uricontent:"&machinename="; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=6e871b9c440d5c77b9158ebcbe3fcd4b; reference:url,doc.emergingthreats.net/2009519; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gaboc; sid:2009519; rev:3;) #spyware/trojan/backdoors all reported here. sig by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gadu-Gadu.pl Related Trojan Reporting via HTTP"; flow:established,to_server; uricontent:"/appsvc/appmsg"; nocase; uricontent:"fmnumber="; nocase; uricontent:"&version="; nocase; uricontent:"&fmt="; nocase; uricontent:"&lastmsg="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007866; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gadu-gadu.pl; sid:2007866; rev:2;) #by Marcus at unsober alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS.Gamania Checkin"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a 0d 0a|"; content:"un="; distance:0; content:"&pw="; distance:0; content:"&sn="; distance:0; content:"&l="; distance:0; content:"&gd1="; distance:0; content:"&pn="; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008431; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gamania; sid:2008431; rev:2;) #by Jeremy at sudosecure # ref: 4e224c80f62c1b3dc74d295d0633e699 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamethief/PSW.Magania Checkin"; flow:established,to_server; content:"Gh0st"; depth:5; content:"|00 00 00 e0 00 00 00|"; within:8; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008604; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gamethief; sid:2008604; rev:2;) #by victor julien alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-GameThief.Win32.OnLineGames infection report"; flow:established,to_server; content:"POST "; depth:5; content:"&hAssunto=infect-"; distance:50; within:400; content:"&hCorpo="; distance:0; within:50; content:"&hPara="; distance:0; within:50; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008984; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gamethief; sid:2008984; rev:3;) #by marcus at unsober #re: ee1539a7b6b7012a68b986262f01756c alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamania Trojan Check-in"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php"; uricontent:"?p4="; uricontent:"&p5="; uricontent:"&hs="; pcre:"/p4=\d+&p5=\d+&hs=\d+/Ui"; classtype:trojan-activity; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939; reference:url,doc.emergingthreats.net/2009531; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Garmania; sid:2009531; rev:4;) #by evilghost alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini Malware Download"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?cmd=getFile&counter="; uricontent:"&p="; pcre:"/\.php\?cmd=getFile&counter=\d+&p=/U"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini; sid:2010007; rev:5;) #by Mike Cox alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini/Fake AV Download URL Detected"; flow:established,to_server; uricontent:"/Layouts/Landings/CentralLandings/"; nocase; uricontent:"/images/"; nocase; pcre:"/\x2FLayouts\x2FLandings\x2FCentralLandings\x2F\d+\x2Fimages\x2F/Ui"; classtype:trojan-activity; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gemini; reference:url,doc.emergingthreats.net/2010450; sid:2010450; rev:2;) #Matt Jonkman # General signs of trojan infections.... alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - INFECTADO"; flow:established,to_server; content:"Subject\: Microsoft Windows"; nocase; content:"INFECTADO"; nocase; within:20; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002982; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2002982; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN GENERAL Possible Trojan Sending Initial Email to Owner - SUCCESSO"; flow:established,to_server; content:"PC INFECTADO COM SUCCESSO"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002983; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2002983; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious Useragent Used by Several trojans (API-Guide test program)"; flow:established,to_server; content:"|0d 0a|User-Agent\: API-Guide test program|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007826; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2007826; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Checkin Pattern Used by Several Trojans"; flow:established,to_server; uricontent:".php?"; uricontent:"uid="; uricontent:"&gid="; uricontent:"&cid="; uricontent:"&rid="; uricontent:"&sid="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008143; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2008143; rev:2;) #matt jonkman, used by many uploaders alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Pass Stealer FTP Upload"; flow:established,to_server; content:"INFECTADO|0d 0a|=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=|0d 0a|Computador"; depth:64; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008237; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2008237; rev:3;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin"; flow:to_server,established; uricontent:"magic="; nocase; uricontent:"&id="; uricontent:"&cache="; uricontent:"&tm="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008523; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2008523; rev:3;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Bot HTTP CnC Pattern"; flow:established,to_server; uricontent:".php?guid_bot="; uricontent:"&ver_bot="; uricontent:"&stat_bot="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008550; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2008550; rev:2;) #by victort julien alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|Accept\: Accept\: "; pcre:"/^Accept\x3A\sAccept\x3A[^\r\n]*\d+,\s/[A-z0-9\.]+,\s[A-z0-9\.]+/smi"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008975; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2008975; rev:3;) #by joe stewart and bojan zdrjna alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin"; flow: to_server,established; content:"GET "; depth: 4; uricontent: ".asp?mac="; nocase; pcre:"/[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+-[a-f0-9]+/iU"; uricontent: "&ver="; nocase; reference:url,doc.emergingthreats.net/2009412; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; classtype:trojan-activity; sid:2009412; rev:4;) #by bojan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin (2)"; flow: to_server,established; content:"GET "; depth: 4; uricontent: ".asp?mac="; nocase; pcre:"/[a-f0-9]+/iU"; uricontent: "&ver="; nocase; uricontent: "&os="; nocase; reference:url,doc.emergingthreats.net/2009442; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; classtype:trojan-activity; sid:2009442; rev:4;) # by: Jeremy Conway at sudosecure.net # ref: 0e94639577df8c4b684b42d2acaa4417 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Info Stealer - HTTP POST"; flow:established,to_server; content:"POST "; depth:5; content:"|0d 0a|Content-Type\: multipart/form-data\; boundary|3d|"; nocase; content:"name=\"id\"|0d 0a|"; nocase; content:"name=\"upt\"|0d 0a|"; nocase; content:"name=\"mode\"|0d 0a|"; nocase; content:"name=\"version\"|0d 0a|"; nocase; content:"name=\"cpu\"|0d 0a|"; nocase; content:"name=\"ram\"|0d 0a|"; nocase; content:"name=\"os\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; content:"name=\"user\"|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009470; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2009470; rev:3;) # by: Jeremy Conway at sudosecure.net # ref: b5616a02e03205596215b4abfb9710ef alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Infostealer - GET Checkin"; flow:established,to_server; content:"GET "; depth:4; content:"|0d 0a|User-Agent\: wget 3.0|0d 0a|"; nocase; uricontent:"aid="; nocase; uricontent:"os="; nocase; uricontent:"uid="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009539; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2009539; rev:2;) #by jerry at cybercave alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Agent.QBY CnC Post"; flow:established,to_server; uricontent:"cike.php?fid="; nocase; uricontent: "&cid="; nocase; uricontent:"&ver="; nocase; uricontent:"&tid="; nocase; uricontent:"&sn="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?uid=4f05faef-6a70-4957-8990-b316d8487f63; reference:url,doc.emergingthreats.net/2010138; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General; sid:2010138; rev:2;) #by marcus at unsober alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Crack by bahman"; flow:established; content:"POST "; depth:5; content:"&message=|2b|keylogger|2b|Crack|2b|By|2b 25 32 31 25 32 31 25 32 31|...bahman"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008369; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Keyloggers; sid:2008369; rev:3;) #by Jeffrey Brown alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Keylogger Infection Report via POST"; flow:established,to_server; content:"texto=|25 30 44 25 30 41 25 30 44 25 30 41|Computer"; content:"|25 30 44 25 30 41|IP|25 32 45 25 32 45 25 32 45 25 32 45 25 32 45|"; distance:0; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008521; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Keyloggers; sid:2008521; rev:2;) #matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpamTool.Win32.Agent.gy/Grum/Tedroo Or Similar HTTP Checkin"; flow:established,to_server; uricontent:"?id="; nocase; uricontent:"&tick="; nocase; uricontent:"&ver="; nocase; uricontent:"&smtp="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008189; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; reference:url,www.secureworks.com/research/threats/botnets2009/; reference:url,securitylabs.websense.com/content/Blogs/2721.aspx; sid:2008189; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Common Spambot HTTP Checkin"; flow:established,to_server; uricontent:"os="; uricontent:"&user="; uricontent:"&status="; uricontent:"&uptime="; uricontent:"&cmd="; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008261; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_General_Spamtools; sid:2008261; rev:2;) #Matt Jonkman, found by Jacob Kitchel alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unnamed Generic.Malware http get"; flow:established,to_server; uricontent:"/ww20/script.php?id="; nocase; content:"&config="; nocase; content:!"User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003431; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware; sid:2003431; rev:3;) #from castlecops research alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic.Malware.SFL User-Agent (Rescue/9.11)"; flow:established,to_server; content:"User-Agent\: Rescue/9.11"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003645; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware; sid:2003645; rev:3;) # by: Jeremy Conway at sudosecure.net # ref: 3ef704eaa54118d277d52a1fe9bbcaa4 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Backdoor Retrieve Instructions/Configs - HTTP GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:".php?aid="; nocase; uricontent:"&pid="; uricontent:"&kind="; nocase; content:!"|0d 0a|User-Agent\:"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009826; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware; sid:2009826; rev:2;) #by bojan alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin (double Content-Type headers)"; flow:to_server,established; content:"POST "; depth:5; uricontent:".php"; nocase; content:"|0d 0a|Content-Type|3a| text/html"; nocase; content:"|0d 0a|Content-type|3a| image/gif"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2010282; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware; sid:2010282; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Trojan Checkin (UA VBTagEdit)"; flow:to_server,established; content:"GET "; depth:4; content:"HTTP/1.0|0d 0a|User-Agent|3a| VBTagEdit"; nocase; reference:url,doc.emergingthreats.net/2010439; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Generic.Malware; classtype:trojan-activity; sid:2010439; rev:3;) #by steven Adair of shadowserver.org alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; content:"|00 00 00 e0 00 00 00 78 9c 4b 63 60 60 98 03 c4 ac 40|"; within:19; dsize:<180; flowbits:set,ET.ghost; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008888; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Ghost; sid:2008888; rev:4;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008889; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Ghost; sid:2008889; rev:4;) #by Martin Holste alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GhostNet Trojan Reporting"; flow:established,to_server; uricontent:"/microsoft/v2/update/upgrade.aspx?hostname="; uricontent:"&ostype="; uricontent:"&macaddr="; uricontent:"&ipaddr="; uricontent:"&owner="; classtype:trojan-activity; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; threshold: type limit, track by_src, count 1, seconds 300; reference:url,doc.emergingthreats.net/2009202; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Ghostnet; sid:2009202; rev:4;) #by michael sconzo alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gimmiv.A.dll Infection"; flow: to_server,established; uricontent:"/test"; uricontent:".php"; uricontent:"?abc="; uricontent:"?def="; reference:url,www.microsoft.com/security/portal/Entry.aspx?name=TrojanSpy%3aWin32%2fGimmiv.A; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008689; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gimiv; sid:2008689; rev:3;) alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Gimmiv Infection Ping Outbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008726; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gimiv; sid:2008726; rev:3;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Gimmiv Infection Ping Inbound"; icode:0; itype:8; dsize:20; content:"abcde12345fghij6789"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008727; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gimiv; sid:2008727; rev:3;) #by Darren Spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Glacial Dracon C&C Communication"; flow:established,to_server; uricontent:"?id="; nocase; uricontent:"&ve="; nocase; uricontent:"&h="; nocase; content:"|0d 0a 0d 0a|&c[]="; nocase; content:"&t[]="; nocase; content:"&u[]="; nocase; content:"&d[]="; nocase; content:"&p[]="; nocase; classtype:trojan-activity; reference:url,www.threatexpert.com/report.aspx?md5=912692cb4e3f960c9cb4bbc96fa17c9d; reference:url,www.threatexpert.com/report.aspx?md5=fd3d061ee86987e8f3f245c2dc0ceb46; reference:url,doc.emergingthreats.net/2010163; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Glacial; sid:2010163; rev:2;) #by Tom Fisher alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting User Activity"; flow:established,to_server; uricontent:".php?param="; nocase; uricontent:"&socks="; content:"|0d 0a|User-Agent\: Windows Updater"; nocase; classtype:trojan-activity; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002775; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Goldun; sid:2002775; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting User Activity 2"; flow:established,to_server; uricontent:".php?phid="; nocase; uricontent:"&ver="; nocase; uricontent:"&nn="; nocase; content:"|0d 0a|User-Agent\: z|0d 0a|"; classtype:trojan-activity; reference:url,www.avira.com/en/threats/TR_Spy_Goldun_de_1_details.html; reference:url,doc.emergingthreats.net/2002780; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Goldun; sid:2002780; rev:4;) #by matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting Install"; flow:established,to_server; uricontent:".php?codec="; pcre:"/codec=\d+D\d+D\d+/U"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007965; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Goldun; sid:2007965; rev:2;) #by dxp and Darren Spruell. Compilation of former sids 2003509-2003511 and 2002854 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gozi check-in / update"; flow:established,to_server; uricontent:"?user_id="; nocase; uricontent:"&version_id="; nocase; uricontent:"&crc="; nocase; reference:url,www.secureworks.com/research/threats/gozi; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009410; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Gozi; sid:2009410; rev:3;) #Joe Stewart from Lurhq alert tcp any any -> any $HTTP_PORTS (msg:"ET TROJAN Possible Bobax trojan infection"; flow: established,to_server; content:"GET /reg|3f|u="; depth: 11; content:"|26|v="; within: 3; distance: 8; reference:url,www.lurhq.com/bobax.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001901; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_HTTP_Botnets; sid: 2001901; rev:5;) # Hacker Defender Root Kit #By Chris Norton 2/22/05 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HackerDefender Root Kit Remote Connection Attempt Detected"; flow: established,to_server; content:"|01 9a 8c 66 af c0 4a 11 9e 3f 40 88 12 2c 3a 4a 84 65 38 b0 b4 08 0b af db ce 02 94 34 5f 22|"; rawbytes;tag: session, 20, packets; classtype: trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2001743; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_HackerDefender; sid: 2001743; rev:8;) #Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN HackerDefender.HE Root Kit Control Connection"; flow: established,to_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003244; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_HackerDefender; sid: 2003244; rev:3;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HackerDefender.HE Root Kit Control Connection Reply"; flow: established,from_server; content:"|d0 84 ec 77 cf ec 60 e9|"; depth:8; classtype:trojan-activity; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.hackdefender.html; reference:url,doc.emergingthreats.net/2003245; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_HackerDefender; sid: 2003245; rev:3;) # Trojan HaxDoor #Submitted by Tom Fischer, 2006-01-24, modified 2/2/06 on info from chris, reference update from darren spruell alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Haxdoor Reporting User Activity"; flow:established,to_server; uricontent:".php?"; nocase; uricontent:"lang="; nocase; uricontent:"&socksport="; nocase; uricontent:"&httpport="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.DI; reference:url,doc.emergingthreats.net/2002790; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_HaxDoor; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; sid:2002790; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Haxdoor Reporting User Activity 2"; flow:established,to_server; uricontent:".php?param="; nocase; uricontent:"&socksport="; nocase; uricontent:"&httpport="; nocase; uricontent:"&uptime"; nocase; uricontent:"&uid="; nocase; uricontent:"&ver="; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2002929; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_HaxDoor; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-113016-1420-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=e787c4437ff67061983cd08458f71c94; reference:url,www.threatexpert.com/report.aspx?md5=d86b9eaf9682d60cb8b928dc6ac40954; reference:url,www.threatexpert.com/report.aspx?md5=1777f0ffa890ebfcc7587957f2d08dca; sid:2002929; rev:4;) #matt jonkman #Disabled for now, getting many false positives #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop Checkin"; flow:established,to_server; uricontent:"/stat.htm?id="; nocase; uricontent:"&agt="; nocase; uricontent:"&r=http"; nocase; uricontent:"&OS="; nocase; uricontent:"&ntime="; nocase; uricontent:"&rtime="; nocase; reference:url,atlas-public.ec2.arbor.net/docs/Hitpop_DDoS_Malware_Analysis_PUBLIC.pdf; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008275; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hitpop; sid:2008275; rev:3;) #by jeremy at sudosecure #ref: 0189096db51adaf5598ef9a8eaeeff34 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hitpop.AG/Pophot.az HTTP Checkin"; flow:to_server,established; content:"GET "; depth:4; uricontent:".asp"; nocase; uricontent:"|3F|ver="; nocase; uricontent:"|26|tgid="; nocase; uricontent:"|26|address="; nocase; pcre:"/address\=([0-9A-F][0-9A-F]-){5}([0-9A-F][0-9A-F])/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008317; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hitpop; sid:2008317; rev:3;) #by Don Jackson of Secureworks alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN HotLan.C Spambot C&C download command"; flow:established,from_server; content:"|3B|URL|3A|http|3A 2F 2F|"; pcre:"/\x0D\x0A\x0D\x0ASLP\x3A\d+\x3BMOD\x3A[\S\x3B]+\x3BURL\x3Ahttp\x3A\x2F{2}[^\x3B]+\x3BSRV\x3Aupd\x3B/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008471; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotlan; sid:2008471; rev:4;) alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET|20|"; offset:0; depth:4; content:"|3F|mod|3D|"; offset:5; depth:40; pcre:"/^GET\s+[^\x0A\x0D]+\x3Fmod\x3D\w*\x26id\x3D[^\x26\s]+\x5F\w+\x26up\x3D[^\x26]+\x26mid\x3D[^\x26\s]+/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008473; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotlan; sid:2008473; rev:3;) #Matt Jonkman alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg: "ET VIRUS Hotword Trojan in Transit"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001959; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotword; sid: 2001959; rev:7;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "ET VIRUS Hotword Trojan inbound via http"; flow: established,from_server; content:"|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001960; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotword; sid: 2001960; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg: "ET VIRUS Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001961; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotword; sid: 2001961; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg: "ET VIRUS Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001962; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotword; sid: 2001962; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg: "ET VIRUS Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001963; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotword; sid: 2001963; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg: "ET VIRUS Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001964; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotword; sid: 2001964; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg: "ET VIRUS Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"|53 54 4f 52 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001965; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotword; sid: 2001965; rev:9;) alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg: "ET VIRUS Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"|53 49 5a 45 20 5f 5f 5f 0d 0a|"; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2001966; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hotword; sid: 2001966; rev:9;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (SykO)"; flow:established,to_server; content:"User-Agent\: SykO"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003649; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2003649; rev:6;) #from sandnet analysis alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (IE_7.0)"; flow:established,to_server; content:"User-Agent\: IE_7.0"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2003932; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2003932; rev:6;) #from sandnet alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon URL Infection Checkin Detected"; flow:established,to_server; uricontent:"?mac="; nocase; uricontent:"&ver="; nocase; uricontent:"&user="; nocase; uricontent:"&md5="; nocase; uricontent:"&pc="; nocase; pcre:"/mac=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007592; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2007592; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (RAV1.23)"; flow:established,to_server; content:"User-Agent\: RAV"; nocase; pcre:"/User-Agent\: RAV\d\.\d\d/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007661; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2007661; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (??)"; flow:established,to_server; content:"User-Agent\: |3f 3f 0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2007689; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2007689; rev:3;) #Backdoor.Win32.Hupigon.abb alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon CnC init (variant abb)"; flow:established,to_server; dsize:4; flowbits:isnotset,ET.hupa.init; flowbits:noalert; content:"|00 00 00 00|"; flowbits:set,ET.hupa.init; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008041; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008041; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon CnC Data Post (variant abb)"; flow:established,to_server; dsize:>200; flowbits:isset,ET.hupa.init; content:"Windows "; content:"Service Pack "; distance:0; content:"HACK|00 00|"; distance:100; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008042; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008042; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon User Agent Detected (VIP2007)"; flow:established,to_server; content:"User-Agent\: VIP20"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008156; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008156; rev:2;) #new hupigon variant cnc, at least thats what some of the AVs call it. 1801d4ffb772174c655a5b223fb4d781 alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon CnC Communication (variant bysj)"; flow:established,to_server; dsize:5; content:"HTTP|00|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008258; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008258; rev:3;) #by Pedro Marinho alert tcp $HOME_NET any -> $EXTERNAL_NET 3128 (msg:"ET TROJAN Likely Hupigon Post to Controller"; flow:established,to_server; content:"POST /+"; depth:7; flowbits:noalert; flowbits:set,ET.Hupinit1; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008389; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008389; rev:2;) alert tcp $EXTERNAL_NET 3128 -> $HOME_NET any (msg:"ET TROJAN Hupigon Response from Controller (YES - ~~@@)"; flow:established,from_server; flowbits:isset,ET.Hupinit1; content:"HTTP/1.0 200 OK|0d 0a 0d 0a|YES|0d 0a 7e 7e|"; depth:26; content:"@@|0d 0a 0d 0a|"; within:150; reference:url,www.f-secure.com/v-descs/backdoor_w32_hupigon.shtml; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008390; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008390; rev:2;) #by jeremy at sudosecure # ref: a127ef8d46e52b3df09c1c9430de6a27 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hupigon.AZG Checkin"; flow:established,to_server; content:"GET "; depth:4; nocase; content:"|0d 0a|User-Agent|3a 20|Mozilla|2f|3|2e|0|20 28|compatible|3b| Indy Library|29 0d 0a|"; within:300; nocase; uricontent:"eve="; nocase; uricontent:"username="; nocase; uricontent:"anma="; nocase; uricontent:"ver="; nocase; reference:url,www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=143511&sind=0; reference:url,vil.nai.com/vil/content/v_145056.htm; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008515; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008515; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon.dkxh Checkin to CnC"; flow:established,to_server; content:"OK|2e 01|200"; depth:20; offset:13; content:"Windows "; distance:4; within:30; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008540; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2008540; rev:3;) #by darren spruell alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Hupigon System Stats Report (I-variant)"; flow:established,to_server; content:"|00 00 00|"; depth:3; content:""; content:"<"; distance:0; within:27; content:""; content:"<"; distance:0; within:27; pcre:"/^\x00\x00\x00[\x72-\x74]/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/bin/view/Main/TrojanDropper497; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2009052; rev:2;) #matt jonkman alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET TROJAN Possible Hupigon Connect"; flow:established,from_server; flowbits:set,ET.Hupinit2; dsize:<28; content:"HTTP/1.0 200 "; depth:13; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009290; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; flowbits:noalert; sid:2009290; rev:1;) alert tcp $EXTERNAL_NET 3128:9000 -> $HOME_NET any (msg:"ET TROJAN Hupigon CnC Client Status"; flow:established,to_server; flowbits:isset,ET.Hupinit2; dsize:<6; content:"|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009291; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2009291; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 3128:9000 (msg:"ET TROJAN Hupigon CnC Server Response"; flow:established,from_server; flowbits:isset,ET.Hupinit2; dsize:3; content:"|0d 0a|"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009292; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2009292; rev:1;) #by shirkdog alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET 1024:65535 (msg:"ET TROJAN Win32.Hupigon Control Server Response"; flow:from_server; dsize:16; content:"|03 00 00 00 00 00 00 00 c4 ec 48 f5 5e 00 85 80|"; depth:16; threshold: type both, count 2, seconds 120, track by_src; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009350; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2009350; rev:3;) # by: Jeremy Conway at sudosecure.net # ref: d96eaa91b6af24f4ed1616a817e5a819 alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN KillAV/Dropper/Mdrop/Hupigon - HTTP GET"; flow:established,to_server; content:"GET "; depth:4; uricontent:".asp?mac="; nocase; uricontent:"&xxx="; nocase; content:"|0d 0a|User-Agent\: baidu|0d 0a|"; nocase; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2009811; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_Hupington; sid:2009811; rev:2;) # By Joe Stewart, Based on valuable work by Tom Fisher alert icmp any any -> any any (msg:"ET TROJAN ICMP Banking Trojan sending encrypted stolen data"; dsize:>64; itype:8; icode:0; content:"|08|"; depth:1; byte_test:4,>,64,1,little; byte_test:4,<,1500,1,little; content:"|0000|"; distance:4; within:1495; classtype:trojan-activity; reference:url,www.websensesecuritylabs.com/alerts/alert.php?AlertID=570; reference:url,doc.emergingthreats.net/2003073; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_ICMP_Tunnel; sid:2003073; rev:4;) # IRC Trojan Reporting # # By Erik Fichtner # # Bleeding-Remix :: irc / ircbot detection state machine # compiled from various sources. # thanks to: Joe Stewart of LURHO, Joel Esler, Tomfi. ### Client login process. flowbits needs an OR. ### Client needs to tell the server who they are, join ### join a group, and someone needs to say something to ### someone else. alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC USER command"; flow: to_server,established; content:"USER|20|"; nocase; offset: 0; content:"|203a|"; within: 40; content:"|0a|"; within: 40; flowbits:noalert; flowbits: set,irc.start; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002023; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002023; rev:12;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC NICK command"; flow: to_server,established; content:"NICK|20|"; nocase; depth:50; content:"|0a|"; within: 40; flowbits:noalert; flowbits: set,irc.start; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002024; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002024; rev:13;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC JOIN command"; flowbits:isset,irc.start; flow:to_server,established; content:"JOIN|2023|"; nocase; depth:50; content:"|0a|"; within: 40; flowbits: set,irc.start; flowbits:set,is_proto_irc; flowbits:noalert; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002025; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002025; rev:13;) #Another start, psyBNC servers don't always use a join, info from Reg Quinton alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN psyBNC IRC Server Connection"; flow:from_server,established; content:"psyBNC@lam3rz"; depth:33; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; classtype: misc-activity; reference:url,en.wikipedia.org/wiki/PsyBNC; reference:url,doc.emergingthreats.net/2003302; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2003302; rev:7;) #Updated by Reg Quinton alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN IRC PRIVMSG command"; flowbits:isset,irc.start; flow:established; content:"PRIVMSG|20|"; depth:8; flowbits:set,is_proto_irc; flowbits:noalert;classtype: misc-activity; reference:url,doc.emergingthreats.net/2002026; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002026; rev:15;) ### Alternate path to is_proto_irc, Catch PING/PONG. alert tcp any any -> any any (msg:"ET TROJAN IRC PING command"; flowbits:isnotset,is_proto_irc; flow: from_server,established; content:"PING|20|"; nocase; offset: 0; flowbits: set,irc.ping; flowbits:noalert; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002027; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002027; rev:6;) alert tcp any any -> any any (msg:"ET TROJAN IRC PONG response"; flowbits:isnotset,is_proto_irc; flowbits:isset,irc.ping; flowbits:noalert; flow: from_client,established; content:"PONG|20|"; nocase; offset: 0; flowbits: set,is_proto_irc; classtype: misc-activity; reference:url,doc.emergingthreats.net/2002028; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002028; rev:6;) # Bot potty alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - channel topic scan/exploit command"; flowbits:isset,is_proto_irc; flow:to_client,established; content:"|3a|"; offset:0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; nocase; within: 40; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002029; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002029; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - potential scan/exploit command"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,dst; pcre:"/(ntscan [0-9]{1,4} [0-9]{1,4}|dcom\.self|scan\.(start|stop)|scan ([0-9]{1,3}\.[0-9]{1,3})|(advscan|exploited|asc|xscan|xploit|adv\.start) (webdav|netbios|ntpass|dcom(2|135|445|1025)|mssql|lsass|optix|upnp|dcass|beagle[12]|mydoom|netdevil|DameWare|kuang2|sub7|iis5ssl|wkssvc|wks1|mysql|wkssvcOth|wkssvcENG|arkeia|arcserve|wins|veritas|netbackup|asn))/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002030; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002030; rev:13;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - potential update/download"; flowbits:isset,is_proto_irc; flow:established; tag: host,300,seconds,dst; pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+(http|ftp)\x3a\x2f\x2f/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002031; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002031; rev:15;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - potential DDoS command (1)"; flowbits:isset,is_proto_irc; flow:established; content:"."; content:"."; distance:1; within:3; content:"."; distance:1; within:3; pcre:"/floodnet ([0-9]{1,3}\.){3}[0-9]{1,3}|(syn|udp) ([0-9]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[0-9]{1,3}/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002032; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002032; rev:10;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN BOT - potential response"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((T?FTP)\x3a File transfer|(random|sequential) Port Scan|Random (Spreading|Scanner)|Exploiting IP|Exploiting\.\.|flooding\x3a|flood stopped|sending packets)|Random Method started|FINDFILE|Scan stopped|No scan thread found|thread\(s\) stopped|\x3aExec /i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002033; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002033; rev:14;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - potential misc bot commands"; flowbits:isset,is_proto_irc; flow: established; content:"PRIVMSG|20|"; nocase; content:"|3a|"; within:30; tag: host,300,seconds,src; pcre:"/((\.aim\w*|ascanall|\x3agetshit200)\s+\w+)|((@kill|@get_os_version|@get_computer_name|@get_bot_version|@update|@restart|@reboot|@shutdown)\s)/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002384; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002384; rev:13;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow: established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; tag: host,300,seconds,src; pcre:"/(\.aim\w*|ascanall)\s+\w+/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002386; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2002386; rev:10;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - potential DDoS command (2)"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst; content:"ddos"; nocase; pcre:"/ddos\.(phat(icmp|syn|wonk)|stop|(syn|udp|http)flood|targa3|(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2003132; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid: 2003132; rev:5;) # Added commands of another nasty bot alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - potential reptile commands"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG ";nocase; content:"|3a|"; within:30; pcre:"/\.((testdlls|threads|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\dx|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002363; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002363; rev:12;) alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN BOT - channel topic reptile commands"; flowbits:isset,is_proto_irc; flow:established; content:"|3a|"; offset: 0; content:"|20|332|20|"; within: 50; content:"|2023|"; within: 20; content:"|203a|"; pcre:"/\.((testdlls|threads|netstatp|nsp|speed|uptime|installed|secure|sec|unsecure|unsec|process|ps|rand|exploitftpd|eftpd|flusharp|farp|flushdns|fdns|resolve|dns|pstore|pst|sysinfo|si|netinfo|ni|driveinfo|di|stats|currentip)\s*[\r\n]|(iestart|ies|login|l|mirccmd|system|file\s+(cat|exists|e|del|rm|rmdir|move|copy|attrib)|down|dl\x|update|reg\s+(query|delete|write))\s+\w+|(banner|ban|advscan|asc|scanall|sa|ntscan|nts)\s*[\n\r])/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2002385; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2002385; rev:11;) #agobot, sdbot stuff, from JB alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Agobot-SDBot Commands"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG"; pcre:"/((cvar\.set)|(http\.(execute|update))|((aol)spam\.(setlist|settemplate|start|stop|setuser|setpass))|sniffer\.(addstring|delstring)|pingstop|udpstop|scan(all|stats|del|stop)|clone(stop|start)|c_(raw|mode|nick|join|part|privmsg|action))/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2003157; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2003157; rev:5;) #pBot commands, Matt Jonkman, updated by Reg Quinton alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN pBot (PHP bot) Commands"; flowbits:isset,is_proto_irc; flow:established; content:"PRIVMSG"; pcre:"/PRIVMSG\s+\S+\s+\x3a\s*(\.user |\.logout|\.die|\.restart|\.mail |\.dns |\.download |\.exec |\.find |\.cmd |\.php |\.tcpflood |\.udpflood |\.raw |\.rndnick|\.pscan |\.ud\.server )/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2003208; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2003208; rev:9;) #These are by Reg Quinton for perl bots. Uses the above irc state machines: # $Id: TROJAN_IRC_Bots,v 1.12 2010/02/16 13:40:56 jonkman Exp $ # # I am building these from perlbots I've captured over the last few months # as I chase PHP injection attacks. In each case what you have is a "PRIVMSG" # response with content that looks like ":\002...text\002" # # I rely on flowbits isproto_irc to catch the leading "PRIVMSG .*:" # # [11:29am dominic] cat ~/php-injection/* | sed -n 's/.*:\\002/:\\002/p' |\ # sed 's/002[ :].*/002/' | sort | uniq -c | grep 002\\[ # 2 :\002[Atk33]\002 # 2 :\002[Exploiting]\002 # 2 :\002[Finished]\002 # 8 :\002[GOOGLE]\002 # 1 :\002[GOOGLER]\002 # 11 :\002[HTTP]\002 # 4 :\002[HTTP-DDOS]\002 # 1 :\002[HTTP DDoSing]\002 # 1 :\002[PKS-SCAN| @@ ERROR @@ ]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON CURL]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON FETCH]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON GET]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON LYNX]\002 # 1 :\002[PKS-SCAN|EXPLOTANDO CON WGET]\002 # 1 :\002[PKS-SCAN| SPREANDING ]\002 # 2 :\002[Results]\002 # 2 :\002[RSH]\002 # 19 :\002[SCAN]\002 # 10 :\002[TCP]\002 # 4 :\002[TCP-DDOS]\002 # 2 :\002[TCP DDoSing]\002 # 13 :\002[UDP]\002 # 4 :\002[UDP-DDOS]\002 # 1 :\002[UDP DDoSing]\002 # 2 :\002[v6]\002 # 1 :\002[v6|Exploiting]\002 # 1 :\002[v6|VULN]\002 # 6 :\002[VERSION]\002 # Ones that look like ':\002[sometext]\002' alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 1)"; flow:established; flowbits:isset,is_proto_irc; content:"|3A 02 5B|"; content:"|5B 02|"; within: 32; pcre:"/\x3A\x02\x5B(Atk33|Exploiting|Finished|GOOGLE.*|HTTP.{0,8}|PKS-SCAN.{0,20}|Results|RSH|SCAN|TCP.{0,8}|UDP.{0,8}|v6.{0,12}|VERSION)\x5D\x02/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006910; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2006910; rev:6;) # [11:31am dominic] cat ~/php-injection/* | sed -n 's/.*:\\002/:\\002/p' \ # | sed 's/002[ :].*/002/' | sort | uniq -c | grep 002.003 # 2 :\002\0034<------------------------------------------------>\003\002"); # 2 :\002\0034<------------------------------------------------>\003\002"); # 1 :\002\0034[BackConnect]\003\002 # 2 :\002\0034[help]\003\002 # 1 :\002\0034[HTTP]\003\002 # 1 :\002\0034[HTTP DDoSing]\003\002 # 1 :\002\0034PerlBot :By SPEED (Security Net Information) LoaDED bY @adms"); # 3 :\002\0034[SCAN]\003\002 # 2 :\002\0034[TCP DDoSing]\003\002 # 1 :\002\0034[UDP]\003\002 # 1 :\002\0034[UDP DDoSing]\003\002 # 1 :\002\0034[VERSION]\003\002 # # Ones that look like \002\0034[sometext]\003\002 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 2)"; flow:established; flowbits:isset,is_proto_irc; content:"|3A 02 03|4|5B|"; content:"|03 02|"; within: 32; pcre:"/\x3A\x02\x034\x5B(BackConnect|help|HTTP.*|SCAN|TCP.*|UDP.*|VERSION)\x5D\x03\x02/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2006911; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2006911; rev:6;) # [11:34am dominic] cat ~/php-injection/* | sed -n 's/.*:\\002/:\\002/p' \ # | sed 's/002[ :].*/002/' | sort | uniq -c | grep -v '002\\003' | grep -v '002\[' # 1 :\002 # 2 :\002Alvo dos Pacotes\002 # 1 :\002Conectando-se em\002 # 1 :\002Média de envio\002 # 1 :\002Tempo\002 # 2 :\002Tempo de Pacotes\002 # 1 :\002Total bytes\002 # 2 :\002Total de Pacotes\002 # 1 :\002Total pacotes\002 # # Ones that look like \002sometext\002 alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN perlb0t/w0rmb0t Response (Case 3)"; flow:established; flowbits:isset,is_proto_irc; content:"|3A 02|"; content:"|02|"; within: 32; pcre:"/\x3A\x02(Alvo dos Pacotes|Conectando-se em|Média de envio|Tempo.*|Total .*)\x02/i"; classtype: trojan-activity; reference:url,doc.emergingthreats.net/2006912; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2006912; rev:7;) # $Id: TROJAN_IRC_Bots,v 1.12 2010/02/16 13:40:56 jonkman Exp $ # # [8:03am dominic] telnet 59.124.158.12 65500 # Trying 59.124.158.12... # Connected to 59-124-158-12.HINET-IP.hinet.net (59.124.158.12). # Escape character is '^]'. # :irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Looking up your hostname... # :irc.Indonesia.B0tN3t.org NOTICE AUTH :*** Found your hostname # # Reg Quinton ; 9-Nov-2007 alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN B0tN3t IRCbotnet"; flow:from_server,established; content:"\:"; offset:0; depth:1; content:"B0tN3t"; within:32; nocase; flowbits:set,irc.start; flowbits:set,is_proto_irc; classtype:misc-activity; reference:url,en.wikipedia.org/wiki/Botnet; reference:url,doc.emergingthreats.net/2007672; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2007672; rev:4;) #by Greg Bowser alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Username in IRC (XP-..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"USER "; pcre:"/USER XP-[A-z0-9]{4,8} \* 0 \:.*/"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008123; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2008123; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; classtype:trojan-activity; reference:url,doc.emergingthreats.net/2008124; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Bots; sid:2008124; rev:2;) # by Reg Quinton # # Kaiten is a compiled code DDOS IRCbotnet for Unix/Linux systems. You will # find the string "Kaiten wagoraku" in the code ..(or in the strings if you # have a compiled version). It's been around since at least 2006, source can # be found at many sites. # # See also # # http://isc.sans.org/diary.html?storyid=1127 # http://handlers.dshield.org/pbueno/Steve_malware6.pdf # http://www.stacksegment.net/wiki/index.php/Linux_Malware_Analysis # http://ktp.e-isa.com/Viruses/Linux.DDos-Kaiten.htm # # Reg Quinton; 2007/08/30 # # Botnet begins by contacting an IRC server (there's some randomization to # pick one) and saying (with short nick,ident,user strings..): # # Send(sock,"NICK %s\nUSER %s localhost localhost :%s\n",nick,ident,user); alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Kaiten IRCbotnet login"; flow:to_server,established; content:"NICK|20|"; offset:0; depth:5; content:"USER|20|"; within:32; content:"localhost|20|localhost|20 3A|"; within:32; pcre:"/NICK\x20\S+\x0AUSER\x20\S+localhost\x20localhost\x20\x3A/"; flowbits:set,irc.start; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007621; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Kaiten; sid:2007621; rev:4;) # various distinctive responses to commmands implemented by Kaiten client alert tcp $HOME_NET any -> any any (msg:"ET TROJAN Kaiten IRCbotnet Response"; flow:established; flowbits:isset,irc.start; content:"NOTICE|20|"; content:"|20 3A|"; within:32; pcre:"/\x20\x3A(Receiving\x20file.\x0A|Saved\x20as\x20|Spoofs\x3A\x20|Kaiten\x20wa\x20goraku|Current\x20status\x20is\x3a\x20|Removed\x20all\x20spoofs|Packeting\x20|Panning\x20|Tsunami\x20heading\x20for\x20|Unknowing\x20|Killing\x20pid\x20)/"; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007622; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Kaiten; sid:2007622; rev:4;) # various commmands implemented by Kaiten client, they don't use a : delimiter # as others do, it's "[: ]PRIVMSG ! ". I'm # skipping the server part. I wish there were flowbits that noted that we have # an IRC channel going. I don't want to watch everything. alert tcp any any -> $HOME_NET any (msg:"ET TROJAN Kaiten IRCbotnet Commands"; flow:from_server,established; content:"PRIVMSG|20 21|"; pcre:"/PRIVMSG\x20\x21\S+\x20(TSUNAMI\x20|PAN\x20|UDP\x20|UNKNOWN\x20|GETSPOOFS|SPOOFS\x20)/i"; classtype:trojan-activity; reference:url,en.wikipedia.org/wiki/IRC_bot; reference:url,doc.emergingthreats.net/2007623; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/VIRUS/TROJAN_IRC_Kaiten; sid:2007623; rev:5;) # $Id: TROJAN_IRC_Pitbull,v 1.6 2009/07/29 19:16:37 jonkman Exp $ # Pitbull is an IRCbot implemented in Perl since 2007/09/13, code seems to have # authors who speak spanish or portugese. Small sample here # # http://www.directadmin.com/forum/showthread.php?p=113720 # # Google had a cached version, you might browse around to find others. # # Versions I captured are a little different from one another (s/space/etx/). # # Code *says* it supports these commands (but versions differ): #!bot @portscan #!bot @nmap #!bot @back #!bot @udpflood