trojan/fraudtool/worm (2009.07.28)

alert tcp any any -> any 80 (msg:”trojan-Spy.Win32.Zbot.gen web access”; flow:to_server, established; uricontent:”/z/cfg.bin“; nocase; content:”Host|3a20|tsesar|2e|jino|2e|ru“; nocase; http_header;)

alert tcp any any -> any 80 (msg:”Net-Worm.Win32.Koobface.agd web download”; flow:to_server, established; uricontent:”/1/pdrv.exe“; nocase; content:”Host|3a20|liesbethmilan|2e|be“; nocase; http_header;)

alert tcp any any -> any 80 (msg:”FraudTool.Win32.SecretService.d credit page access”; uricontent:”/secure/index_new.php“; nocase; content:”|0d0a|Host|3a20|85|2e|17|2e|139|2e|149|0d0a|”; nocase; http_header;)

Advertisements

About this entry