I have modified sid: 2007688 to the following, because I
have seen
the php file name changed:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"TROJAN Prg
Trojan HTTP POST version 1";
flow:established,to_server; content:"POST
"; depth:5; uric
ontent:".php?2="; uricontent:"&n=";
uricontent:"&v=";
uricontent:"&i=";
uricontent:"&sp=";
uricontent:"&lcp=";
reference:url,ip.secu
rescience.net/advisories/pubMalwareCaseStudy.pdf;
sid:2007688; rev:3;)
and added this signature to catch the second variant of the
POST
method I have been seeing:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"TROJAN Prg
Trojan HTTP POST version 2";
flow:established,to_server; content:"POST
"; depth:5; uric
ontent:".php?1="; uricontent:"&i=";
within:40;
pcre:"/.php?1=[a-z0-9]+_[a-z0-9]+&i=[a-z]d+s/i&
quot;; within:40;
reference:url,ip.secu
rescience.net/advisories/pubMalwareCaseStudy.pdf;
sid:123456789; rev:1;)
Let me know if you have any questions.
Thanks,
Jeremy Conway
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|