MALWARE-CNC Win.Trojan.Bedep variant outbound connection (1:33188)

[Elliot Anderson <new.http.451 () gmail com>]

Hello all,

Anybody struggled with the 1:33188 sig previously. The thing is that this signature:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Bedep variant outbound 
connection”; flow:to_server,established; content:"/stats/eurofxref/eurofxref-hist-90d.xml"; http_uri; content:"Host|3A 
20|www.ecb.europa.eu <http://www.ecb.europa.eu/>|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, 
policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:33188; rev:4; )

Quite often triggers on legitimate traffic not associated with any CNC connections, just simple browsing and request 
for file from the European Central Bank (ECB) which contains the last 90 days of “Euro foreign exchange reference 
rates” and is updated daily. However Trojan Bedep uses it as part of DGA scheme.

Are there any supplement signatures for this activity cause this one isn't working exactly the way we would like and 
expect it to work.

Thanks for any comments,
Elliot

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!