Snort mailing list archives
Win32.OnlineGameHack sig
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 19 Jun 2013 09:24:09 -0600
AHNLabs..good stuff: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan.Win32.OnlineGameHack outbound connection"; flow:to_server,established; content:"/get.asp?mac="; http_uri; content:"&os="; within:36; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:10000080; rev:1;) Has some similarities to 19573...wondering if 23312 will catch the exe with the JFIF headers. James ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Win32.OnlineGameHack sig James Lay (Jun 19)