Snort mailing list archives
Dyre trojan
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 16 Jun 2014 16:46:35 -0600
Neat...in a bad sort of way. alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Dyre Trojan publickey request"; flow:to_server,established; file_data; content:"User-Agent|3A|Wget|2f|1|2e|9"; http_header; fast_pattern:only; content:"|2f|publickey|2f|"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; classtype:trojan-activity; sid:10000133; rev:1;) James ------------------------------------------------------------------------------ HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions Find What Matters Most in Your Big Data with HPCC Systems Open Source. Fast. Scalable. Simple. Ideal for Dirty Data. Leverages Graph Analysis for Fast Processing & Easy Data Exploration http://p.sf.net/sfu/hpccsystems _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Dyre trojan James Lay (Jun 16)
- Re: Dyre trojan Carlos Pacho (Jun 17)