New rule offered for detecting Gameover a new ZeuS variant over smtp

[rmkml <rmkml () yahoo fr>]

Hi,

A new ZeuS variant, known as Gameover, send messages with a .zip contain .enc file.

Please check if it's interesting :

alert tcp any any -> any 25 (msg:"SMTP Zip file contains Encrypted (.enc) possible GameOver ZeuS variant attempt";
flow:to_server,established; content:".zip"; pcre:"/^[\'\"]*\s*\r?\n/R";
file_data; content:"PK|03 04|"; within:4; distance:0; content:".enc"; within:50; distance:26; 
pcre:"/^PK\x03\x04.{26}[a-zA-Z0-9\-\_]+\.enc/s";
classtype:attempted-user; sid:1; rev:1;)

Please check all variables before use.

All comments/feebacks are welcome.

Regards
@Rmkml

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!