Snort mailing list archives

Re: Osx.Trojan.MacDownloader

From: Tyler Montier <tmontier () sourcefire com>
Date: Tue, 14 Feb 2017 16:51:17 -0500

Yaser,

Thanks for your submission. We will review and test the rule and get back
to you when its finished.

Sincerely,

Tyler Montier
Cisco Talos

On Tue, Feb 14, 2017 at 3:33 PM, Y M <snort () outlook com> wrote:

Hello,


The remote C&C server is reported being taken offline, but hopefully the
rule would catch already infected hosts.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Osx.Trojan.MacDownloader outbound connection"; flow:to_server,established;
urilen:14; content:"GET"; http_method; content:"/Servermac.php";
fast_pattern:only; content:"User-Agent|3A 20|Bitdefender Adware Removal
Tool/"; http_header; metadata:ruleset community,service http; reference:url,
virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c
2bb2ae76f5027977e8635aa04bd064ffb7/analysis/; reference:url,
virustotal.com/en/file/52efcfe30f96a85c9c068880c20663
db64f0e08346e0f3b59c2e5bbcb41ba73c/analysis/; reference:url,
www.joesecurity.org/reports/report-787d664e842961f2a335139407f91a70.html;
classtype:trojan-activity; sid:1000840; rev:1;)


Thank.

YM

------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure
to stay up to date to catch the most <a href="
https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

http://www.snort.org

Please visit http://blog.snort.org for the latest news about Snort!

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!

Current thread:

Osx.Trojan.MacDownloader Y M (Feb 14)
- Re: Osx.Trojan.MacDownloader Tyler Montier (Feb 14)