Snort mailing list archives
Win.Trojan.Proxysvc
From: Y M via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 27 Apr 2018 14:13:22 +0000
Hi, I was not able to find information to write signatures of the TLS traffic. However, the malware listener accepts rather unique HTTP traffic according to the analysis in the reference. No pcaps available. # Title: Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide # Reference: https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Proxysvc listener inbound execute command"; flow:to_server,established; content:"Content-Type|3A 20|8U7y3Ju387mVp49A"; fast_pattern:only; http_header; content:"Content-Length"; http_header; metadata:ruleset community, service http; reference:url,securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/; classtype:trojan-activity; sid:8000019; rev:1;) Thanks. YM
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- Win.Trojan.Proxysvc Y M via Snort-sigs (Apr 27)
- Re: Win.Trojan.Proxysvc Phillip Lee (Apr 27)