Snort mailing list archives
New rule offered for detecting Gameover a new ZeuS variant over smtp
From: rmkml <rmkml () yahoo fr>
Date: Wed, 12 Feb 2014 21:59:53 +0100 (CET)
Hi, A new ZeuS variant, known as Gameover, send messages with a .zip contain .enc file. Please check if it's interesting : alert tcp any any -> any 25 (msg:"SMTP Zip file contains Encrypted (.enc) possible GameOver ZeuS variant attempt"; flow:to_server,established; content:".zip"; pcre:"/^[\'\"]*\s*\r?\n/R"; file_data; content:"PK|03 04|"; within:4; distance:0; content:".enc"; within:50; distance:26; pcre:"/^PK\x03\x04.{26}[a-zA-Z0-9\-\_]+\.enc/s"; classtype:attempted-user; sid:1; rev:1;) Please check all variables before use. All comments/feebacks are welcome. Regards @Rmkml ------------------------------------------------------------------------------ Android apps run on BlackBerry 10 Introducing the new BlackBerry 10.2.1 Runtime for Android apps. Now with support for Jelly Bean, Bluetooth, Mapview and more. Get your Android app in front of a whole new audience. Start now. http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- New rule offered for detecting Gameover a new ZeuS variant over smtp rmkml (Feb 12)