Snort mailing list archives
Re: Zbot/Simda sig
From: Y M <snort () outlook com>
Date: Thu, 10 Oct 2013 19:08:50 +0000
adding pcaps. From: snort () outlook com To: snort-sigs () lists sourceforge net Date: Thu, 10 Oct 2013 15:25:01 +0000 Subject: [Snort-sigs] Zbot/Simda sig I was looking at a specific capture triggered by several alerts of sid:26369. Along the packets there were three attempts made to download an executable file "calc.exe". The download was prevented, however, I downloaded the file and came up with the below rule. VT results are mostly mixed between Zbot, Simda, and Kazy. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot/Simda outbound connection attempt"; flow:to_server,established; content:"/?"; http_uri; pcre:"/\/?[0-9A-Za-z]=%/"; fast_pattern; http_uri; content:"|25|96|25|CB|25|D5|25|A8|25|A7|25|"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/80ea92e508eefa5722870c6ca48a6a1086180c754dd83cf4ebd28bf3918c2392/analysis/;sid:100065; rev:1;) Thanks.YM ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
zbot_simda_http.pcap
Description:
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134071&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Zbot/Simda sig Y M (Oct 10)
- Re: Zbot/Simda sig Y M (Oct 10)