Zbot/Simda sig

[Y M <snort () outlook com>]

I was looking at a specific capture triggered by several alerts of sid:26369. Along the packets there were three 
attempts made to download an executable file "calc.exe". The download was prevented, however, I downloaded the file and 
came up with the below rule. VT results are mostly mixed between Zbot, Simda, and Kazy.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot/Simda outbound connection 
attempt"; flow:to_server,established; content:"/?"; http_uri; pcre:"/\/?[0-9A-Za-z]=%/"; fast_pattern; http_uri; 
content:"|25|96|25|CB|25|D5|25|A8|25|A7|25|"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy 
security-ips drop, ruleset community, service http; 
reference:url,www.virustotal.com/en/file/80ea92e508eefa5722870c6ca48a6a1086180c754dd83cf4ebd28bf3918c2392/analysis/;sid:100065;
 rev:1;)
Thanks.YM

------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!