Snort mailing list archives
Re: Osx.Trojan.MacDownloader
From: Tyler Montier <tmontier () sourcefire com>
Date: Tue, 14 Feb 2017 16:51:17 -0500
Yaser, Thanks for your submission. We will review and test the rule and get back to you when its finished. Sincerely, Tyler Montier Cisco Talos On Tue, Feb 14, 2017 at 3:33 PM, Y M <snort () outlook com> wrote:
Hello, The remote C&C server is reported being taken offline, but hopefully the rule would catch already infected hosts. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.MacDownloader outbound connection"; flow:to_server,established; urilen:14; content:"GET"; http_method; content:"/Servermac.php"; fast_pattern:only; content:"User-Agent|3A 20|Bitdefender Adware Removal Tool/"; http_header; metadata:ruleset community,service http; reference:url, virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c 2bb2ae76f5027977e8635aa04bd064ffb7/analysis/; reference:url, virustotal.com/en/file/52efcfe30f96a85c9c068880c20663 db64f0e08346e0f3b59c2e5bbcb41ba73c/analysis/; reference:url, www.joesecurity.org/reports/report-787d664e842961f2a335139407f91a70.html; classtype:trojan-activity; sid:1000840; rev:1;) Thank. YM ------------------------------------------------------------ ------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Osx.Trojan.MacDownloader Y M (Feb 14)
- Re: Osx.Trojan.MacDownloader Tyler Montier (Feb 14)