Backdoor Turkojan 4.0

healthcheck.

alert tcp any any -> any any (msg:Backdoor-turkojan Runtime Detection(healthcheck)”; flow:established,to_server; content:”|42 41 47 4c 41 4e 54 49|”; offet:0 ; dsize:9; )

initiate-connection
alert tcp any any -> any any (msg:Backdoor-turkojan_4.0 Runtime Detection(initiate-connection)”; flow:established,to_server; content:”|61 6d 73|”; dsize:3; flowbits:set,turkojan_4.0; flowbits:noalert;)
alert tcp any any -> any any (msg:Backdoor-turkojan_4.0 Runtime Detection(initiate-connection)”; flow:established,to_client; content:”|4d 49 4e 46 4f 00|”; dsize:6; flowbits:isset,turkojan_4.0;)

Advertisements

About this entry