security engineer

369 IDS/IPS rules I made that were accepted into Sourcefire / Snort community rule set are displayed below.

I started writing rules in 2012.

Up until May 8, 2015:

* 252 of my "MALWARE-CNC" rules were added to the Sourcefire community rule set. I created 252 of 462 (54.54%) "MALWARE-CNC" rules in the Sourcefire community rule set.

* Sourcefire wrote 2,338 "MALWARE-CNC" rules. I wrote 10.77% as many "MALWARE-CNC" rules as Sourcefire.

* Created 11.18% (369 out of 3,300) rules of the entire community rule set.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Sality logo.gif URLs"; flow:to_server,established; content:"/logo.gif?"; fast_pattern:only; http_uri; pcre:"/\x2Flogo\.gif\x3F[0-9a-f]{5,7}=\d{5,7}/Ui"; metadata:ruleset community; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Virus%3aWin32%2fSality.AT; classtype:trojan-activity; sid:24255; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED EXPLOIT-KIT Possible malicious Jar download attempt - specific-structure"; flow:to_client,established; content:"|3B 20|filename|3D|"; nocase; http_header; content:".jar"; within:4; distance:8; nocase; http_header; pcre:"/filename\x3d\w{8}\.jar/iH"; file_data; content:"PK|03 04|"; depth:4; reference:cve,2013-0422; classtype:trojan-activity; sid:24798; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; urilen:11; content:"|2F|Config|2E|txt"; fast_pattern:only; http_uri; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; content:".php?ip="; http_uri; content:"&os="; distance:0; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length: "; nocase; byte_test:8,<,369,0,string,relative; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; urilen:95; content:" HTTP/1.0|0D 0A|Host:"; fast_pattern:only; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25054; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; urilen:52; content:"/s/?k="; fast_pattern:only; http_header; pcre:"/^\x2f[a-z0-9]{51}$/Ui"; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25224; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:12; content:"/a/image.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25256; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Skintrim variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/bin/check.php?cv="; http_uri; content:"ThIs_Is_tHe_bouNdaRY_$"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast variant outbound connection"; flow:to_server,established; content:"/file.aspx?file="; fast_pattern:only; http_uri; content:"ksp/WS"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BancosBanload variant outbound connection"; flow:to_server,established; content:".gif"; http_uri; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; content:"From|3A|"; http_header; content:"Via|3A|"; http_header; urilen:13; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; content:"/default.aspx?ver="; http_uri; content:"&uid="; distance:0; http_uri; content:"|3B 20|MRA|20|5.10|20|"; http_header; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25271; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; content:".php?php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri; pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:25471; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:16; content:"/cgi-bin/sba.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/cgi-bin/op.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lfstream|26|"; depth:9; offset:8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/admin/host.php"; fast_pattern:only; http_uri; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingInfo.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingDetails.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound communication"; flow:to_server,established; dsize:4; content:"|9A 02 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptic variant outbound connection"; flow:to_server,established; content:"Accept-Language: en-us|3B 0D 0A|"; http_header; content:"wok5VLG.6"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872e845155341cc30a5db5/analysis/; classtype:trojan-activity; sid:25652; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; content:"/js/disable.js?type="; fast_pattern:only; http_uri; content:"Accept|3A 20|application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; dsize:267<>276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Agent YEH variant outbound connection"; flow:to_server,established; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity; sid:25765; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/cmd.php?cmd="; http_uri; content:"arq="; distance:0; http_uri; content:"cmd2="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound communication"; flow:to_server,established; urilen:95<>102; content:"|29 20|Chrome|2F|"; http_header; content:!"|0A|Accept-Encoding|3A 20|"; http_header; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.botnets.fr/index.php/Urausy; classtype:trojan-activity; sid:25807; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Sality logos.gif URLs"; flow:to_server,established; content:"/logos.gif?"; fast_pattern:only; http_uri; pcre:"/\x2Flogos\.gif\x3F[0-9a-f]+=\x2d?\d+/Ui"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header; metadata:ruleset community; reference:url,www.virustotal.com/en/file/79416e894ee7040e88f9918802db4d473140d45e45d945abebe820a1841ec5ba/analysis/; classtype:trojan-activity; sid:25809; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; urilen:18; content:"/listas/out/si.php"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|"; depth:10; offset:24; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Einfo\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header; content:"|2E|info|0D 0A|"; fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:25854; rev:5;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 24131192124.com - Win.Trojan.Chebri.C "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|24131192124|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3AWin32%2FChebri.C; classtype:trojan-activity; sid:25946; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"APP-DETECT Ammyy remote access tool"; flow:to_server,established; content:"POST"; http_method; content:"|0A|Host|3A 20|rl.ammyy.com|0D 0A|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.ammyy.com; classtype:policy-violation; sid:25947; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC GzWaaa outbound data connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_header; content:"form-data|3B| name=|22|userfile|22 3B| filename="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; urilen:7; content:"/in.php"; http_uri; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"|0A|Content-Length|3A 20|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; urilen:20; content:"/b/n/winrar/tudo.rar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; content:"a=select CAMPO from PAGINA where CODIGO = "; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|identity|0D 0A|"; distance:0; http_header; pcre:"/\x0d\x0aContent\x2dLength\x3a\x20(124|132)\x0d\x0a/H"; pcre:"/\x3d?\x3d\r\n$/P"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26106; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; urilen:12; content:"/pid/pid.txt"; fast_pattern:only; http_uri; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proxyier variant outbound connection"; flow:to_server,established; content:"GET /?"; depth:6; content:"HTTP/1.1|0D 0A|Host|3A 20|update|2E|"; distance:0; content:"0b8pre|0D 0A|"; fast_pattern:only; http_header; content:!"|0A|Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:26212; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dapato banking Trojan variant outbound connection"; flow:to_server,established; urilen:21; content:"/pics/_vti_cnf/00.inf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:6;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain mercury.yori.pl - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mercury|04|yori|02|pl|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/3b10dea660714efe9d89b8473196be64445741a2b9d36f9ddf5e45e744a9e320/analysis/; classtype:trojan-activity; sid:26265; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org"; flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26287; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brontok Worm variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Daws Trojan Outbound Plaintext over SSL Port"; flow:to_server,established; content:"POST"; depth:4; pcre:"/^POST\x20\x2f[a-z]+\.[a-z]{3}\x20HTTP\x2f1\.1\r\n/"; content:"|0D 0A|Content|2D|Disposition|3A 20|form|2D|data|3B 20|name|3D 22|"; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/R"; pcre:"/\d+\x2d{2}\r\n$/R"; metadata:impact_flag red, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e74bcc1c43f8050242d53/analysis/1359999907/; classtype:trojan-activity; sid:26289; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC file path used as User-Agent - potential Trojan"; flow:to_server,established; content:"User-Agent|3A 20|C:|5C|"; fast_pattern:only; http_header; pcre:"/\.exe$/iU"; pcre:"/^User\x2dAgent\x3a\x20c\x3a\x5c[^\r\n]*?\.exe\r\n/Him"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b84708a355f7c46b358fa375/analysis/; classtype:trojan-activity; sid:26319; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; content:".php?mac="; fast_pattern:only; http_uri; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_header; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection"; flow:to_server,established; content:"|3B 20|sv|3A|"; http_header; content:"|3B 20|id|3A|"; within:5; distance:1; http_header; pcre:"/^User\x2dAgent\x3a\s[^\r\n]*?\x3b\x20id\x3a[A-F0-9]{8}\x2d([A-F0-9]{4}\x2d){3}[A-F0-9]{12}\)[^\r\n]*?\r\n/Hm"; metadata:policy security-ips drop, ruleset community, service http; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000%2FPD23747/en_US/Threat_Advisory_OSX_Flashfake.pdf; classtype:trojan-activity; sid:26327; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; content:"/nosignal.jpg?"; fast_pattern:only; http_uri; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26335; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; urilen:8; content:"/ksa.txt"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST"; flow:to_server,established; content:"op="; depth:3; http_client_body; content:"&nmpc="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"panel1/gate.php"; content:" HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|"; fast_pattern:only; content:"+"; depth:15; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf48475272df5b60edf556e4299/analysis/; classtype:trojan-activity; sid:26398; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; fast_pattern:only; http_header; pcre:"/\.png$/Ui"; content:!"User-Agent:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26480; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Crysis variant outbound connection"; flow:to_server,established; content:"|0D 0A|Content-Length|3A 20|88|0D 0A|"; fast_pattern:only; http_header; content:"+"; depth:1; offset:71; http_client_body; content:"+"; within:1; distance:3; http_client_body; metadata:ruleset community; classtype:trojan-activity; sid:26481; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C"; flow:to_server,established; content:"/thinner/thumb?img="; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111; classtype:trojan-activity; sid:26482; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown malware - Incorrect headers - Referer HTTP/1.0"; flow:to_server,established; content:"Referer: HTTP/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26533; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - getcomando POST data"; flow:to_server,established; content:"tipo=getcomando&"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a8f162a9c7347e485db374664227884b16112e2983923d0888c8b80661f25e44/analysis/1367267173/; classtype:trojan-activity; sid:26560; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"&sk1="; fast_pattern:only; http_client_body; content:"bn1="; depth:4; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26561; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.elitemarketingworld.net - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|elitemarketingworld|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26580; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.rsakillerforever.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|10|rsakillerforever|04|name|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26581; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.allamericanservices.name - Cosmu Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|13|allamericanservices|04|name|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=19e389aa2bce187e2fcd1aaa8b0f617cee2907b27b45dd0d5090d50d308a91bc; classtype:trojan-activity; sid:26582; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain msnsolution.nicaze.net - Genome Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|msnsolution|06|nicaze|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,camas.comodo.com/cgi-bin/submit?file=f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44; reference:url,www.virustotal.com/en/file/f48652bff483682938b8c281d32f8f3df424018270900956d30658e1dcec4b44/analysis/1367863560/; classtype:trojan-activity; sid:26583; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain theimageparlour.net - Vobfus worm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|theimageparlour|03|net|00|"; fast_pattern:only; content:"|03|ns"; content:"|0F|"; within:2; content:"theimageparlour|03|net|00|"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/cbee43ecc75d6f29061416add74a78ce5e36c67b85e186d66338399305e594d4/analysis/; classtype:trojan-activity; sid:26589; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ppcfeedadvertising.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|ppcfeedadvertising|03|com|00|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service dns; classtype:trojan-activity; sid:26612; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Medfos Trojan variant outbound connection"; flow:to_server,established; content:"/feed?req=http"; fast_pattern:only; http_uri; content:"|3B| MSIE "; http_header; content:!"|0D 0A|Accept-Language:"; http_header; content:!"|0D 0A|Referer:"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/Hsmi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ppcfeedclick.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|ppcfeedclick|03|com|00|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service dns; classtype:trojan-activity; sid:26614; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www2.x3x4.su - backdoor trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|www2|04|x3x4|02|su|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/a6cad9e09f5049f432491037946acf3376d3d957b97f49ecb22f86531fb0b7de/analysis/; classtype:trojan-activity; sid:26654; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shiz variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/login.php"; depth:10; http_uri; content:"Referer|3A| http://www.google.com"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; fast_pattern:only; http_header; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; content:"|3B| filename="; http_header; content:"Delivery_Information_ID-"; fast_pattern:only; http_header; file_data; content:"Delivery_Information_ID-"; content:".exe"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26660; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary="; depth:70; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_header; content:"|3B| name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - POST Body"; flow:to_server,established; content:"index.php"; http_uri; content:"|3B| name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"--"; depth:2; http_client_body; pcre:"/filename=\x22\d+\x22\r\n/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26697; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain - Backdoor Rbot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|07o|05|no-ip|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/bee6e4bb1aba3934388948b48c59068fac3bf467ea9bde8d043ee6481a4d8431/analysis/1369236935/; classtype:trojan-activity; sid:26718; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED MALWARE-CNC Harbinger rootkit click fraud HTTP response"; flow:to_client,established; file_data; content:"http://"; depth:7; content:"|7C|Mozilla/"; fast_pattern:only; pcre:"/\|(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\.(25[0-5]|2[0-4]\d|[01]?\d\d?)\|\d+\|/"; metadata:ruleset community; classtype:trojan-activity; sid:26752; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Potential Bancos Trojan - HTTP Header Structure Anomaly v2.0"; flow:to_server,established; urilen:<20; content:" HTTP/1."; content:"|0D 0A|Content-Type: text/html|0D 0A|Host: "; within:33; distance:1; content:"|0D 0A|Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; content:!"Referer:"; http_header; pcre:"/\.(php|html?|gif|zip|exe)/U"; classtype:trojan-activity; sid:26762; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Luder variant outbound connection"; flow:to_server,established; content:"/loader.cpl"; fast_pattern:only; http_uri; pcre:"/\/loader\.cpl$/U"; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection HTTP Header Structure"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/index.html"; http_uri; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection POST"; flow:to_server,established; content:"POST"; http_method; content:"cmd=gravar&dados="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex encrypted POST check-in"; flow:to_server,established; content:"/cos3q/in"; fast_pattern:only; http_uri; content:".exe"; nocase; http_client_body; pcre:"/\x5f\w{24}\.exe/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00|<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain vseforyou.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|vseforyou|02|ru|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26781; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain commorgan.ru - Cridex Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|commorgan|02|ru|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26782; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; urilen:23; content:"/content/img/awards.jpg"; fast_pattern:only; http_uri; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/H"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; urilen:11; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\x2F\d{10}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker POST variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"op=IncluirAvisos&"; fast_pattern:only; http_client_body; content:"HostBD="; depth:7; offset:17; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Strange Google Traffic"; flow:to_server,established; urilen:30; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; content:"Host: www.google.com"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; content:"POST"; http_method; content:"/info.php?act="; fast_pattern:only; http_uri; pcre:"/^\/info\.php\?act\x3d(list|online)/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound communication"; flow:to_server,established; content:"POST"; http_method; content:"<|7C|>"; fast_pattern:only; http_client_body; content:"data="; depth:5; http_client_body; content:"<|7C|>"; within:3; distance:31; http_client_body; content:"<|7C|>"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.silobiancer.com - Win.Trojan.Rombrast Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|silobiancer|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26913; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain goliyonzo.pw - BackDoor Comet"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|goliyonzo|02|pw|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156196&password=gtrcgbtwhh; reference:url,www.virustotal.com/en/file/b2e7148311c223519042ba38e1ef8a48061645d5bdcadf9763386ad92fcc2654/analysis/; classtype:trojan-activity; sid:26914; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain zalil.ru - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|zalil|02|ru|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,mwanalysis.org/?page=report&analysisid=2156195&password=ykndnbluja; reference:url,www.virustotal.com/en/file/22ecaeec7bf54ac3bb8deecd092447c8d62e8e4a928dcaada0348b08db2d1f94/analysis/; classtype:trojan-activity; sid:26915; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; urilen:255<>260; content:"= HTTP/1."; fast_pattern:only; content:".php?"; http_uri; content:!"Accept"; http_header; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26924; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; content:"POST"; http_method; content:"data.php"; http_uri; content:"|0D 0A|URL: "; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name="; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established; content:"POST"; http_method; content:".php?version="; http_uri; content:"&user="; distance:0; http_uri; content:"&server="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; content:"Cookie: cache=cc2="; fast_pattern:only; content:"cache=cc2="; http_cookie; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain fasternation.net - Win.Trojan.Pirminay"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|fasternation|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26971; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant outbound connection"; flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri; content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established; content:"Content-Length: 150|0D 0A|"; fast_pattern:only; http_header; file_data; content:"|0D 0A|"; depth:2; offset:4; content:"|0D 0A|"; within:2; distance:4; content:"|0D 0A|"; within:2; distance:4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain memo-stat.com - Htbot"; flow:to_server; content:"|09|memo-stat|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27043; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user-agent string pb - Htbot"; flow:to_server,established; content:"User-Agent: pb|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe; content:"filename="; http_header; content:"security_cleaner.exe"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain scari-elegante.ro - Yakes Trojan"; flow:to_server; content:"|0E|scari-elegante|02|ro|00|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service dns; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27146; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain myharlemshake.info - MSIL Trojan"; flow:to_server; content:"|0D|myharlemshake|04|info|00|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service dns; reference:url,mwanalysis.org/?page=report&analysisid=2178740&password=nxbjmzykzt; reference:url,www.virustotal.com/en/file/16534fea6ec534249b0a14a497f82f5c7b4b8f2b005e965c24816365ce062318/analysis/; classtype:trojan-activity; sid:27155; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain twinkcam.net - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|twinkcam|03|net|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27180; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain cinnamyn.com - W32/Kryptik"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|cinnamyn|03|com|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27181; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET Request"; flow:to_server,established; content:"/?"; depth:2; http_uri; content:"h=NT"; fast_pattern:only; http_uri; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST Request"; flow:to_server,established; content:"POST"; content:"|3B 20|MSIE 28|3B 20|"; fast_pattern:only; http_header; content:"User-Agent"; http_header; pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neurevt variant outbound communication"; flow:to_server,established; content:"ps0="; depth:4; http_client_body; content:"ps1="; distance:0; http_client_body; content:"cs1="; distance:0; http_client_body; content:"cs2="; distance:0; http_client_body; content:"cs3="; distance:0; http_client_body; pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27201; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Harbinger Rootkit Click Fraud HTTP request"; flow:to_server,established; urilen:8; content:"/task/"; fast_pattern:only; http_uri; pcre:"/^\/task\/\d\/$/U"; content:!"Accept|3A 20|"; http_header; content:"|3B 20|MSIE|20|"; http_header; metadata:ruleset community; classtype:trojan-activity; sid:27202; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File"; flow:to_client,established; file_data; content:"return |22|DIRECT|22|"; fast_pattern:only; content:".com.br"; nocase; pcre:"/\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:27204; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain restless.su - Gamarue Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|restless|02|su|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27247; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue - Mozi1la User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess 111-byte URL variant outbound connection"; flow:to_server,established; urilen:111; content:"=="; depth:2; offset:103; content:" HTTP/1.0|0D 0A|Host:"; within:16; distance:10; pcre:"/^\/[a-z\d]{98}\x3d{2}[a-z\d]{10}$/Ui"; content:!"Accept:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27252; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex Encrypted POST w/ URL Pattern"; flow:to_server,established; urilen:<34; content:"POST"; http_method; content:"U|3B| MSIE "; http_header; content:"|0D 0A|Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f([A-Za-z0-9\x2b\x2f\x3d]{1,10})?(\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10})?/U"; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbba20122489e6751621f921ca53cc7e421/analysis/; classtype:trojan-activity; sid:27253; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Yakes Trojan HTTP Header Structure"; flow:to_server,established; content:"POST"; http_method; content:".php HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".php HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; within:113; pcre:"/coded\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nContent\x2dLength\x3a\x20[2-9][02468]\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n\r\n[a-zA-Z0-9\x2f\x2b\x3d]{20,}$/"; pcre:"/[\x2f\x2b\x3d]/P"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27254; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes Trojan Download"; flow:to_server,established; content:"GET"; http_method; content:".exe HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".exe HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|User-Agent: "; within:76; content:"|3A 20|"; distance:0; content:!"|3A 20|"; distance:0; pcre:"/\x2f\d+\.exe$/Ui"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27255; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; offset:6; fast_pattern; content:" HTTP/1."; within:11; distance:1; content:"|0D 0A|User-Agent: Mozilla/"; within:22; distance:1; pcre:"/\)\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n(Cache\x2dControl|Pragma)\x3a\x20no-cache\r\n\r\n$/"; metadata:policy security-ips drop, ruleset community, service http; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27256; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language"; flow:to_server,established; urilen:7; content:"GET"; http_method; content:"Firefox/3."; fast_pattern:only; http_header; pcre:"/^\/[A-Z]{6}$/U"; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8c1ff08a25b93da66921c75d0d21a9c08c5d3d36b95f9eaf113ecd84fa452944/analysis/1374505566/; classtype:trojan-activity; sid:27257; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Win.Trojan.Kraziomel Download - 000.jpg"; flow:to_server,established; urilen:8; content:"/000.jpg"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain claimcrazy.us - Win.Kraziomel Trojan"; flow:to_server; content:"|0A|claimcrazy|02|us|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27534; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain mainenbha.com - Win.Kraziomel Trojan"; flow:to_server; content:"|09|mainenbha|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27535; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ohtheigh.cc - Foreign-R Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|ohtheigh|02|cc|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,secure2.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Foreign-R/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/787cf06f029d8f79ed375aef13d18301541d73a56b4415da433833b8dae27b63/analysis/1374765802/; classtype:trojan-activity; sid:27537; rev:1;) alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|"; content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag red, ruleset community, service ssl; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".txt HTTP/1.1|0D 0A|Connection: "; fast_pattern:only; content:!"ppp"; http_uri; content:"Content-Length|3A 20 30|"; http_header; reference:url,www.virustotal.com/en/file/b5636b6846810559c37608528ce4e66aa7e1006d5fd55181d07c795476df4f5e/analysis/1375275447/; classtype:trojan-activity; sid:27566; rev:5;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Redyms variant outbound connection"; flow:to_server,established; content:"&intip="; fast_pattern:only; http_uri; content:"?id="; http_uri; content:"&port="; distance:0; http_uri; content:"&bid="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d0093f0fc1abf2c3f2816e041e37769137a4/analysis/1375189147/; classtype:trojan-activity; sid:27596; rev:4;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain hidatabase.cn - Worm.Silly"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hidatabase|02|cn|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba302262d0a9b0d2832718a93524/analysis/; classtype:trojan-activity; sid:27632; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Silly variant outbound connection"; flow:to_server,established; urilen:7; content:"/ul.htm"; fast_pattern:only; http_uri; content:"|3B| MSIE 6.0|3B 20|"; http_header; content:!"Accept-Language: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba302262d0a9b0d2832718a93524/analysis/; classtype:trojan-activity; sid:27633; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker.ZSL variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"valor="; depth:6; http_client_body; content:"]branco["; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/709fa674b301e9123fc2c01e817da21cb29cdfb5a42634a793e27c9533d335b1/analysis/1375811416/; classtype:trojan-activity; sid:27648; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brazilian Banking Trojan data theft"; flow:to_server,established; content:"POST"; http_method; content:"remetente="; depth:10; http_client_body; content:"&destinatario="; distance:0; http_client_body; content:"&assunto="; distance:0; http_client_body; content:"&mensagem="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27649; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess variant outbound connection"; flow:to_server,established; urilen:>95; content:".php HTTP/1.1|0D 0A|User-Agent: Opera/"; fast_pattern:only; pcre:"/(?=^[a-z\x2d\x5f\x2f]{95,}\.php$).*?[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d?\.php$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27680; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Data Exfiltration"; flow:to_server,established; content:"POST"; http_method; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"_.log|22 0D 0A|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27774; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:".htm"; http_uri; content:!"Accept"; http_header; content:"|0A|Content-Length: 164|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:"host|3A|"; nocase; http_header; content:"|2E|"; within:5; http_header; content:"|2E|"; within:4; http_header; content:"|2E|"; within:4; http_header; content:"|6C 55 55 45|"; depth:4; offset:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27775; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request"; flow:to_server,established; urilen:>32; content:".php"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/U"; content:!"PacketShaper"; http_header; content:!"siteadvisor.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:6;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.0|0D 0A|Host:"; fast_pattern:only; content:"Accept-Encoding: identity, *|3B|q=0|0D 0A|"; http_header; content:"|3B| MSIE "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27918; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration"; flow:to_server,established; content:"Accept-Encoding|3A| identity, *|3B|q=0|0D 0A|"; fast_pattern:only; http_header; content:"|3B| MSIE "; http_header; pcre:"/[^ -~\r\n]{4}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27919; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Eupuds variant connection"; flow:to_client,established; file_data; content:"insert into avs (id, pc,data,ref,country , id_user, mostrar)values("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/09f4611c05dcff55d4471b90d41b0fd3e6d3289f71321301751008dab75ded4d/analysis/; classtype:trojan-activity; sid:27965; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Harbinger Rootkit variant outbound connection"; flow:to_server,established; urilen:7<>11; content:"/task/"; fast_pattern:only; http_uri; pcre:"/^\/task\/\d{1,3}\/$/U"; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:ruleset community; classtype:trojan-activity; sid:28004; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"from=%20Nome..:"; depth:15; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:28012; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoLocker variant connection"; flow:to_server,established; content:"/crypt_1_sell"; fast_pattern:only; http_uri; pcre:"/\/crypt_1_sell\d\d-\d\d.exe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis; classtype:trojan-activity; sid:28044; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Napolar data theft"; flow:to_server,established; content:".exe&h="; fast_pattern:only; http_client_body; content:"p="; depth:2; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bedb654b50236f7a961e85f3af5e2275ddf/analysis/; classtype:trojan-activity; sid:28080; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /default.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/default.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28114; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /file.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/file.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28115; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /home.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/home.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28116; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /install.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/install.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28117; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /login.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/login.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28118; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /search.htm GET Encrypted Payload"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/search.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28119; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /start.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/start.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28120; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /welcome.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/welcome.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28121; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /index.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/index.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28122; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /setup.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/setup.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28123; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Conficker variant connection"; flow:to_server,established; urilen:11; content:"/search?q="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET CLR 1.1.4322)"; http_header; content:"|0D 0A|Pragma: no-cache|0D 0A|"; http_header; content:!"Accept"; http_header; pcre:"/^\/search\?q=[0-9]$/Umi"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/57212e057db0d45d94d08cd47dec85f0d85a20a7f4d3824559c81a50999cc2a5/analysis/; classtype:trojan-activity; sid:28147; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mevade variant outbound connection"; flow:to_server,established; content:"|0D 0A|uuid: "; fast_pattern:only; http_header; content:!"User-Agent:"; http_header; pcre:"/[^\n -~\r]{4}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/526fe8eee74dc51a23e458115179dcda4027277b696b6a06889ed52751b39f54/analysis/; classtype:trojan-activity; sid:28148; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain kievandmoskaustt.in"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|kievandmoskaustt|02|in|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28152; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - /html2/"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/html2/"; fast_pattern:only; http_uri; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28153; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.1"; flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.1|3B 20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28154; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.2"; flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.2|3B 20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28155; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; dsize:72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential Phishing URL"; flow:to_server,established; content:"/info.php?message="; fast_pattern:only; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/report.php?id=5117077; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:28192; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain- Win.Vobfus worm variant"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|ns1|0A|boxonline"; fast_pattern:only; pcre:"/\x03ns1\x0aboxonline[\x31-\x33]\x03(com|net|org)\x00/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/451318847bae50e855299a1878d9cbd74e7467bfff8df396e886732254fc3ade/analysis/1380827494/; classtype:trojan-activity; sid:28193; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL"; flow:to_server,established; content:"/get.php?invite="; fast_pattern:only; http_uri; content:"Accept-Encoding: gzip"; http_header; pcre:"/^/get.php\?invite=.*?=$/mU"; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=get.php%3Finvite%3D&type=string&start=2013-10-01&end=2013-10-16&max=50; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:28255; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.hdog connectivity check-in version 2"; flow:to_server,established; content:"/?gws_rd=cr"; fast_pattern:only; http_uri; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0d811fc694c05af1d9ea768ef992cb489/analysis/1381870348/; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28285; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request www.xiaopijia.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|09|xiaopijia|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity; sid:28293; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request www.akwm139.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|akwm139|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity; sid:28294; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request www.1860tour.com - Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|08|1860tour|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity; sid:28295; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request ghjgf.info - Backdoor.Yaddos"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|05|ghjgf|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/08e49d4b699ac39193ae6bb952d8ef8a79e9958916683db4a8fa0e9c6ee512d7/analysis/; classtype:trojan-activity; sid:28296; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain handjobheats.com - Win.Trojan.Injector"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0C|handjobheats|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:28297; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Harbinger Rootkit variant - click fraud task request"; flow:to_server,established; urilen:9; content:"/task/"; fast_pattern:only; http_uri; pcre:"/^\/task\/\d\d\/$/U"; content:!"Accept|3A 20|"; http_header; content:!"Referer:"; http_header; content:!"Accept-Encoding:"; http_header; metadata:ruleset community; reference:url,virustotal.com/en/file/35bad2a35eac89fa7601cfe7a872d3450bf436b7a3d9100ce66ce2f91376c2ff/analysis/1373030276/; classtype:trojan-activity; sid:28302; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain goobzo.com - Kazy Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|goobzo|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28404; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; urilen:>90; content:"/p.ashx?prd="; fast_pattern; http_uri; content:"&pixGuid="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28405; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;) alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS request for known malware domain mssql.maurosouza9899.kinghost.net - Win.Symmi Trojan"; flow:to_server; content:"|05|mssql|0E|maurosouza9899|08|kinghost|03|net"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28445; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 1039 (msg:"MALWARE-CNC Win.Trojan.Symmi variant SQL check-in"; flow:to_server,established; content:"s|00|e|00|l|00|e|00|c|00|t|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|f|00|r|00|o|00|m|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|w|00|h|00|e|00|r|00|e|00| |00|i|00|d|00|_|00|p|00|c|00|=|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28446; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain lovesyr.sytes.net - Win.Worm Dunhihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|lovesyr|05|sytes|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/c3c4abd4ccf24da96abc0b4045219a89c86662bad9201913c5317f6e3e7841d9/analysis/; classtype:trojan-activity; sid:28539; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain dkxszh.org"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|dkxszh|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/0b216c2a7e2ac3284fac877054b135947823c91a712bb1c3e289168c973a6ce0/analysis/; classtype:trojan-activity; sid:28540; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess Download Headers"; flow:to_server,established; urilen:5<>14; content:"|0D 0A|Accept: */*|0D 0A|Accept-Encoding: identity, *|3B|q=0|0D 0A|Connection: close|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:".exe HTTP/1.0|0D 0A|Host: "; pcre:"/^\x2f[a-z\d]{1,8}\.exe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/analisis//file/eeaeb1506d805271b5147ce911df9c264d63e4d229de4464ef879a83fb225a40/analysis/; classtype:trojan-activity; sid:28541; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; dsize:139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; urilen:1; content:"GET / HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Language:"; depth:45; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern; content:"google.com|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28800; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Bancos outbound connection attempt"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: "; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojan-activity; sid:28801; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos outbound connection"; flow:to_server,established; urilen:17<>27; content:"ip-who-is.com|0D 0A|"; fast_pattern:only; http_header; content:"/locate-ip/"; depth:11; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojan-activity; sid:28802; rev:3;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Injector inbound connection"; flow:to_client,established; file_data; content:"UPDATE|7C|"; depth:7; pcre:"/^UPDATE\|[0-9]\.[0-9]\.[0-9]\|[A-F0-9]{48}\|{3}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28803; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A|&nome="; fast_pattern:only; http_client_body; content:"conteudo="; depth:9; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28804; rev:3;) alert udp $HOME_NET any -> $EXTERNAL_NET 2090 (msg:"MALWARE-CNC Win.Trojan.Palevo outbound connection"; flow:to_server; dsize:21; content:"|00 00|"; depth:2; offset:19; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,palevotracker.abuse.ch/?ipaddress=209.222.14.3; reference:url,palevotracker.abuse.ch/?ipaddress=31.170.179.179; classtype:trojan-activity; sid:28805; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware download - single digit .exe file download"; flow:to_server,established; urilen:6; content:".exe"; fast_pattern:only; pcre:"/\/[a-z0-9]\.exe$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5Ba-zA-Z%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-09-07&end=2013-12-06&max=400; classtype:trojan-activity; sid:28806; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound communication"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dofoil inbound connection attempt"; flow:to_client,established; content:"|3B 20|filename=exe.exe|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2325492f457a8b7d3df48a570210f65f3a094fe8925278451713768d938bec86/analysis/; classtype:trojan-activity; sid:28809; rev:4;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Ebiz\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header; content:"|2E|biz|0D 0A|"; fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:28810; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection"; flow:to_server,established; content:"/post.aspx?forumID="; fast_pattern:only; http_uri; content:"|0D 0A|URL: http"; depth:11; offset:17; http_client_body; content:!"Accept"; http_header; pcre:"/^(?!\d{17}|[A-F]{17})[A-F0-9]{17}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28814; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection"; flow:to_server,established; content:"forumdisplay.php?fid="; fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body; content:!"Accept"; http_header; pcre:"/^id\x3d[A-F\d]{32}(\x26info\x3d[A-F\d]{24})?$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28815; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; content:"Host: bit.ly|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28918; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; content:"Host: bitly.com|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab1ce3dd674c2e3ba481254edc65b30b89/analysis/; classtype:trojan-activity; sid:28919; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE exe.exe download"; flow:to_server,established; urilen:>7; content:"/exe.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400; classtype:trojan-activity; sid:28945; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain fenhelua.com"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|fenhelua|03|com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailed-analysis.aspx; classtype:trojan-activity; sid:28959; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alurewo outbound connection"; flow:to_server,established; content:"/cmd?version="; fast_pattern:only; http_uri; content:"&aid="; http_uri; content:"&id="; distance:0; http_uri; content:"&os="; within:4; distance:36; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf3388577f22da9178871161/analysis/; classtype:trojan-activity; sid:28960; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration"; flow:to_server,established; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"|0D 0A|TP="; http_client_body; content:"|0D 0A|LGSN="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28976; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - User-Agent Missing Bracket"; flow:to_server,established; content:"|3B 20|Windows NT 5.0|0D 0A|Host:"; fast_pattern:only; http_header; content:" HTTP/1.1|0D 0A|Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|User-Agent: Mozilla/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28977; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain lucas.digitaldesk.biz - Win.Banload"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|lucas|0B|digitaldesk|03|biz|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29030; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant inbound communication attempt"; flow:to_client,established; content:"/avcheck.exe|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A|Location: https://dl.dropboxusercontent.com/"; http_header; pcre:"/\r\nLocation\x3a\x20https\x3a\x2f{2}dl\.dropboxusercontent\.com\/[a-zA-Z\d\x2f]{5,32}\/avcheck\.exe\r\n\r\n$/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29031; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain jiang-zem.in - Win.Trojan.Zeus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|jiang-zem|02|in|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; classtype:trojan-activity; sid:29126; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:13,norm; content:"/webstat/?i="; depth:12; fast_pattern; http_uri; content:"User-Agent: Mozilla/7"; http_header; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:!"Accept-Encoding:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29127; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D 0A|"; fast_pattern:only; http_header; content:"filename="; http_header; content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"/se/gate.php"; http_uri; content:"HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Content-Length: "; fast_pattern:only; pcre:"/\x3d\x0a$/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis/; classtype:trojan-activity; sid:29216; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain 722forbidden1.sytes.net - Win.Trojan.MSIL variant outbound connection "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|722forbidden1|05|sytes|03|net"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,file-analyzer.net/analysis/1076/5370/0/html; reference:url,www.virustotal.com/en/file/e2aa97c947cdf38e76749e863f73e31c94da76d84ba8b3a8a4342c253b2b934b/analysis/; classtype:trojan-activity; sid:29217; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/mod/lookfashon.jpg"; fast_pattern:only; http_uri; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/chamjavanv.inf?aapf/login.jsp?="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29259; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/novredir_inf.php?apt/login.jsp?="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29260; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/FileToDownload.exe"; fast_pattern:only; http_uri; content:"Host: dl.dropbox.com|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1087/5386/0/html; reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e0107f80ad14ba4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity; sid:29261; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain bog5151.zapto.org - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|bog5151|05|zapto|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/fc274838271cc9e28d8c3c9c925f38c07da14c13f3df56f41450f514904ae876/analysis/; classtype:trojan-activity; sid:29262; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain kara.no-ip.info - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|kara|05|no-ip|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/e3cbce74e7fa73b931283b0187f237d0acb4ea3e1f5ce2be4af83493a6bef460/analysis/; classtype:trojan-activity; sid:29263; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor variant inbound connection"; flow:to_client,established; content:"|3B 20|filename=CostcoForm.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"CostcoForm.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a3c54e14d0fc94814ce841be4740f295c/analysis; classtype:trojan-activity; sid:29300; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"rotina=UPDATE&tip=stat&nome="; depth:28; fast_pattern; http_client_body; content:"&tmp="; distance:0; http_client_body; content:"&stat="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a99732bd5649a39411868bf71e90cfdc84/analysis/1389362066/; classtype:trojan-activity; sid:29349; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google."; http_header; content:!"Accept-"; http_header; content:"NID="; depth:4; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:29395; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DomaIQ variant outbound connection"; flow:to_server,established; content:"/trace/Start HTTP/1.1|0D 0A|Host: "; fast_pattern:only; content:"/debug/Version/"; depth:15; http_uri; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1546/6325/0/html#network; reference:url,www.virustotal.com/en/file/59795540fc058979c6be02351507330fce8a8d3c6f10cbcd4ee21ab0144b9a7f/analysis/1390421409/; classtype:trojan-activity; sid:29664; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"&bolausado"; fast_pattern:only; http_client_body; content:"rotina="; depth:7; http_client_body; content:"&casa="; distance:0; http_client_body; content:"&idcliente"; distance:0; http_client_body; content:"&outro="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:29665; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - TixDll - Win.Trojan.Adload.dyhq"; flow:to_server,established; content:"User-Agent: TixDll|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29824; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain commandcenteral.info - Win.Trojan.Adload.dyhq"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0F|commandcenteral|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29825; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain givemefilesnow.info - Win.Trojan.Adload.dyhq"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|givemefilesnow|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29826; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain stylefun.info - Win.Trojan.Adload.dyhq"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|stylefun|04|info|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29827; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Adload.dyhq variant outbound connection"; flow:to_server,established; content:"/get/?ver="; depth:10; http_uri; content:"&aid="; distance:0; http_uri; content:"&hid="; distance:0; http_uri; content:"&rid="; distance:0; http_uri; content:"&data="; distance:0; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29828; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain hattouma12.no-ip.biz - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|hattouma12|05|no-ip|03|biz|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/960aee6e11a44bf18a5f224019bd40e35112a2f312c220c9aaf0b30c9a5ba084/analysis/; classtype:trojan-activity; sid:29832; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain sidisalim.myvnc.com - Win.Trojan.Dunihi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sidisalim|05|myvnc|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/b560a6719a23095cbaeabcff55e8a9dd8fde1fdf4c428b6261731072eb5256d2/analysis/; classtype:trojan-activity; sid:29833; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbout connection"; flow:to_client,established; content:"filename=|22|full__setup.zip|22 0D 0A|"; fast_pattern:only; http_header; file_data; content:"full__setup.exe"; depth:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29862; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; urilen:33; content:"/read/swf/searchProductResult.jsp"; fast_pattern:only; http_uri; content:"cache=cc2="; depth:10; http_cookie; content:"|3B| core="; distance:0; http_cookie; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29863; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:25.0) Gecko/20100101 Firefox/25.0|0D 0A|Host: "; fast_pattern:only; content:"POST /"; depth:6; content:" HTTP/1.1"; within:9; distance:42; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc294848eee20903daa556bb3af09/analysis/; classtype:trojan-activity; sid:29865; rev:5;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain jwqakoy3wdktb0.com - Win.Trojan.CryptoLocker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0E|jwqakoy3wdktb0|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; classtype:trojan-activity; sid:29875; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; dsize:69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"Accept-Encoding:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29884; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pushdo variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3A 20|"; http_header; content:"Accept|3A| */*|0D 0A|Accept-Language|3A| en-us|0D 0A|Content-Type|3A| application/octet-stream|0D 0A|Content-Length|3A| "; depth:93; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|Host|3A|"; distance:0; fast_pattern:34,20; http_header; content:"Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29891; rev:7;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain pibadfixwug.kz - Win.Trojan.Pushdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pibadfixwug|02|kz|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/9f3064634a48216f69d23c0887a71e879115a8388617d016239cf825e84e798b/analysis; classtype:trojan-activity; sid:29894; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection "; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; urilen:12; content:"/prl/el.html"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d8174ee71e00541759eb18a31f959da521a9/analysis/; reference:url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240ec96090ce8b3f9c3c9b337b7f2a54f8a/analysis/; classtype:trojan-activity; sid:29897; rev:3;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain drags.su - Win.Trojan.Androm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|drags|02|su|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity; sid:30067; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:14; content:"POST"; http_method; content:"/and/image.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; pcre:"/^[a-z\d\x2f\+\x3d]{10,98}$/Pi"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity; sid:30068; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; urilen:13; content:"/forum/db.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; content:!"Accept"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/2306/8066/0/html#network; reference:url,www.virustotal.com/en/file/009f75196d1df18713d2572e3a797fb6a784a5c6c7dd7d253ba408ed7164c313/analysis/1393271978/; classtype:trojan-activity; sid:30091; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"|0D 0A|User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.1|3B| pt-BR|3B| rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5|0D 0A 0D 0A|"; fast_pattern:only; content:"|0D 0A|Accept-Encoding: gzip,deflate, identity|0D 0A|"; http_header; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:30234; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Strictor HTTP Response - Brazil Geolocated Infected User"; flow:to_client,established; content:"Content-Length: 6|0D 0A|"; http_header; file_data; content:"BRASIL"; depth:6; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30255; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Strictor HTTP Response - Non-Brazil Geolocated Infected User"; flow:to_client,established; content:"Content-Length: 13|0D 0A|"; http_header; file_data; content:"INTERNACIONAL"; depth:13; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30256; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; urilen:12; content:"/eh.html HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/29c3af334ce712ff66985f3584ad0af53ab16c2968ca41f06b900d703a27064e/analysis/1393266939/; reference:url,www.virustotal.com/en/file/5c2689920192836b3788a15f856ba311b54976a0a75016cbf0ae9a85d5a21d76/analysis/; classtype:trojan-activity; sid:30257; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/forumdisplay.php?fid="; fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body; content:"&iv="; within:4; distance:36; http_client_body; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/52906104fa7cf93bbaba9ac9c6c5ffb8c72799e14248045e467c6568926cb494/analysis/1386078525/; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:30258; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; content:"/20"; depth:3; http_uri; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; content:".inf"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef384bdb4f64a739db019fa9b947b821a1/analysis/1395684118/; classtype:trojan-activity; sid:30259; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gcs?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30260; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gdi?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30261; rev:7;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lista"; http_uri; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:".log|22 0D 0A|"; nocase; http_client_body; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed910d7454cdb64b4eab403961c953fe44e/analysis/1395407305/; classtype:trojan-activity; sid:30262; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain aaukqiooaseseuke.org - Win.Trojan.Ramdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|aaukqiooaseseuke|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojan-activity; sid:30543; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain eimqqakugeccgwak.org - Win.Trojan.Ramdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|eimqqakugeccgwak|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojan-activity; sid:30544; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain kucmcamaqsgmaiye.org - Win.Trojan.Ramdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|kucmcamaqsgmaiye|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojan-activity; sid:30545; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain uogwoigiuweyccsw.org - Win.Trojan.Ramdo"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|10|uogwoigiuweyccsw|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Ramdo-K/detailed-analysis.aspx; classtype:trojan-activity; sid:30546; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramdo variant outbound connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:".org|0D 0A|Content-Length|3A| 128|0D 0A|Cache-Control|3A| no-cache|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; pcre:"/^Host\x3a\s[a-z]{16}\.org\x0d/Hm"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx; classtype:trojan-activity; sid:30547; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"POST"; http_method; content:"/write"; http_uri; content:"Host: default|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html; reference:url,www.virustotal.com/en/file/7647eec6ae87c203085fe433f25c78f415baf31d01ee8aa31241241712b46a0d/analysis/; classtype:trojan-activity; sid:30548; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain darxk.com - Win.Trojan.Minerd"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|darxk|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity; sid:30550; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious BitCoiner Miner download attempt - Win.Trojan.Minerd"; flow:to_server,established; urilen:>10; content:"/minerd.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity; sid:30551; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious BitCoiner Miner download attempt - Win.Trojan.Systema"; flow:to_server,established; urilen:20; content:"/aviatic/systema.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; reference:url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e81002469a8f054f79638a57332ac448d819fb5d/analysis/; classtype:trojan-activity; sid:30552; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"pdf_efax_"; fast_pattern:only; content:"PK"; depth:2; content:".pif"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30567; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established; content:"/cache/pdf_efax_"; fast_pattern:only; http_uri; pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30568; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt"; flow:to_client,established; content:"filename=FuneralCeremony_"; fast_pattern:only; http_header; content:".zip"; nocase; http_header; file_data; content:"FuneralCeremony_"; content:".exe"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e8384981832822329d8ccfb125/analysis/1395241815/; classtype:trojan-activity; sid:30569; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google."; http_header; content:!"Accept-"; http_header; content:"PREF="; depth:5; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1f18a4018fffd30bdb1f9fb6280182bd0/analysis/1396537812/; reference:url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2bc087f205711cdbad3e4b1bde7be2d75/analysis/ reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:30570; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.2|3B| Trident/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30914; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; content:"|3E 00|e|00|c|00|h|00|o|00 20 00|c|00|m|00|d|00 5F 00|b|00|e|00|g|00|i|00|n|00|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30915; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain github.ignorelist.com - Win.Trojan.Barys"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|github|0A|ignorelist|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/9d2b34289df06f44dc02fc0689b28ea4f9c11f7496a0e4c20f9d04152295d832/analysis/; classtype:trojan-activity; sid:30949; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.casting.diamondhostess.hu- Win.Trojan.SpyBanker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|07|casting|0E|diamondhostess|02|hu|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31034; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.uslugi-ryazan.ru - Win.Trojan.SpyBanker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0D|uslugi-ryazan|02|ru|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31035; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php HTTP/1.0|0D 0A|Connection: keep-alive|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 0|0D 0A|Host: "; content:"|0D 0A|Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.9,*/*|3B|q=0.8|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/726644e5f666b133159e6c2591cdd3bc628bcd335b381b74fcfd2e4db73689af/analysis/; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31036; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos password stealing attempt"; flow:to_server,established; content:"rotina=plogin&login="; fast_pattern:only; http_client_body; content:"&senha="; http_client_body; content:"&casa="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31112; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:")&dt="; fast_pattern:only; http_client_body; content:"pc="; depth:3; http_client_body; content:"&av="; distance:0; http_client_body; content:"&wd="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31113; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/notify.php HTTP/1.0|0D 0A|"; fast_pattern:only; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; content:"Content-Length: 0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31221; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; urilen:17; content:"/second/game1.inf"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31222; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; urilen:15; content:"/news/index.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/565496cb40fc868d233dabfb1e178e8b9042d964cb1e4f5f3386a6db4f1cf30e/analysis/1400509611/; classtype:trojan-activity; sid:31243; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; urilen:43; content:"POST /"; depth:6; content:" HTTP/1.1"; within:9; distance:42; content:"Firefox/"; distance:0; content:!"|0D 0A|Accept-"; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:31244; rev:4;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt"; flow:to_client,established; file_data; content:"function FindProxyForURL(url, host)"; depth:35; content:"yx0=0|3B|yx1=1|3B|yx2=2|3B|yx3=3|3B|yx4=4|3B|yx5=5|3B|yx6=6|3B|yx7=7|3B|yx8=8|3B|yx9=9|3B|lit=|22 22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.exposedbotnets.com/2013/06/localmworg-andromeda-http-botnet-hosted.html; classtype:trojan-activity; sid:31260; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi outbound connection"; flow:to_server,established; content:".inf HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; pcre:"/\)\r\nHost\x3a\x20[\d\x2e]{7,15}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/c77a679df3b74c622e39ab163fc876cc9d7719f2c2e8cf80beb36c813827d0c7/analysis/; classtype:trojan-activity; sid:31261; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.VBNA variant check-in attempt"; flow:to_server,established; content:"/0.gif?"; depth:7; http_uri; content:" HTTP/1.1|0D 0A|Host: sstatic1.histats.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/NWI5M2QwY2QxZWIwNDU4NDliYjU5NWJmMzc0MzQ2MDE/; reference:url,www.virustotal.com/en/file/0a777870b65d3dc80b56baf77f6d9e342d25a1c7d670077eca14a0f4309f9e26/analysis/; reference:url,www.virustotal.com/en/file/b5a01ce5e2b074f40d86ecca802658a5c998b5bf452f164b1a76f8fa27f53b15/analysis/; classtype:trojan-activity; sid:31262; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain www.give-us-btc.biz - Win.Trojan.Zusy"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|www|0B|give-us-btc|03|biz|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity; sid:31294; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"/workers.php?mac="; fast_pattern:only; http_uri; content:"&gpu="; http_uri; content:!"|0D 0A|User-Agent:"; http_header; content:!"|0D 0A|Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity; sid:31295; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL variant outbound connection"; flow:to_server,established; content:"/srv2.php?param=1 HTTP/1.1|0D 0A|Host: "; fast_pattern:only; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZDI5NTViMGI2MzZiNDU0MTlhMzNlZDhiZGUwNjFmOGY/; classtype:trojan-activity; sid:31315; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:4; content:"/re/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/56939273f68158dacc58d4e8d5bb5b0c4c04be89e279651c8f19fa6392f3d837/analysis/; reference:url,www.virustotal.com/en/file/ad40cabf66001087c2e9f548811b17341f63f19f528a3c04a1c9ab9f10b5eff9/analysis/; classtype:trojan-activity; sid:31442; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".php?chave=xchave&url|3D 20 3D 7C 3D 20|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c179485146e439847a68cdf52b85328b66dd22/analysis/; classtype:trojan-activity; sid:31452; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|User-Agent: Mozilla/5.0|0D 0A|"; content:"Service Pack "; fast_pattern:only; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31453; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:".rar HTTP/1.1|0D 0A|Accept: text/*, application/*|0D 0A|User-Agent: Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31454; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain infolooks.org - Win.Trojan.SDBot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|infolooks|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31456; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain joydagaspy.biz - Win.Trojan.SDBot"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|joydagaspy|03|biz|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31457; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SDBot variant outbound connection"; flow:to_server,established; urilen:8; content:"/install"; http_uri; content:"argc="; depth:5; http_client_body; content:"&name="; distance:0; http_client_body; content:"&previous="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31458; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain cd5c5c.com - Win.Trojan.Androm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|cd5c5c|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31463; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain disk57.com - Win.Trojan.Androm"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|disk57|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31464; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"/query?version="; fast_pattern:only; http_uri; content:"&sid="; http_uri; content:"&builddate="; distance:0; http_uri; content:"&q="; distance:0; http_uri; content:"&ref="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31465; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"|0D 0A|builddate:"; fast_pattern:only; http_header; content:"|0D 0A|aid: "; http_header; content:"|0D 0A|redirect: http://"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31466; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:9; content:"/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31467; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Papras variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/viewforum.php?f="; fast_pattern:only; http_uri; content:"&sid="; http_uri; content:!"Referer:"; http_header; content:!"Cookie:"; http_header; pcre:"/sid=[0-9A-F]{32}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9e548d9a37c46423680e324b31204197babc45ddc05835afa772fde8627e72b2/analysis/; classtype:trojan-activity; sid:31468; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain nanoseklo.net - Win.Trojan.HW32"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|nanoseklo|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity; sid:31472; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.HW32 variant spam attempt"; flow:to_server, established; content:"MAIL FROM: <Reademal.com>|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity; sid:31507; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/index.php?email=libpurple_XMPP"; fast_pattern:only; http_uri; content:"&method=post"; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b2b7571ffc6ee27fc716f308d72a3268ffa5f32330ca6349aacc92e6cecb2582/analysis/1406043461/; classtype:trojan-activity; sid:31530; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain hslh.sytes.net - Win.Worm.Jenxcus"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|hslh|05|sytes|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/5382192453e48d46e20096b14458b17368d401ccbf365020e6094cd5ed20ac51/analysis/; classtype:trojan-activity; sid:31639; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain prepara.biricell.com.br - Win.Trojan.SpyBanker"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|prepara|08|biricell|03|com|02|br|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/a9c38b5b26532623d692ef0291ad412ce2c2fd8e46e4f6ed85d1e0d010617d0a/analysis/; classtype:trojan-activity; sid:31640; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; fast_pattern:only; http_header; content:"|0D 0A|Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; pcre:"/[^\x20-\x7e\r\n]{3}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31641; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; urilen:4; content:"/de/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31642; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; urilen:16; content:"/boydn/boye.html"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31649; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tirabot variant outbound connection"; flow:to_server,established; content:"&string="; fast_pattern:only; http_client_body; content:"key="; depth:4; http_client_body; content:"Content-Type: application/x-www-Form-urlencoded|0D 0A|"; http_header; content:".php"; http_uri; pcre:"/User\x2dAgent\x3a\x20([\x20-\x7e]{3,56})\r\n.*?\r\n\r\nkey\x3d\1\x26string\x3d/ms"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7ea920d297e23cf58e9f00fa3d48e02994253cb4a673bdd6db9a02fa5ab9ffb8/analysis/1407432311/; classtype:trojan-activity; sid:31680; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:12; content:"/support.exe"; fast_pattern:only; http_uri; content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip,deflate,sdch|0D 0A|Host: "; content:") Chrome/"; distance:0; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b463327fb8360fd55a27e6f9961c8a84a47c5/analysis/; classtype:trojan-activity; sid:31681; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:9; content:"/tmps.exe"; fast_pattern:only; http_uri; content:"Proxy-Authorization: Basic |0D 0A|"; http_header; content:"__cfduid="; depth:9; http_cookie; content:") Chrome/"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31682; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur variant outbound connection"; flow:to_server,established; content:"/get/?data="; depth:11; http_uri; content:"User-Agent: win32|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31683; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Banker.Delf variant outbound connection"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/notify.php"; http_uri; content:"Content-Length: 0|0D 0A|"; http_header; content:" HTTP/1.0|0D 0A|"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd0cf673642ecc56ac464fe7a81a6994ca/analysis/; classtype:trojan-activity; sid:31820; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"dados="; depth:6; http_client_body; content:"&ct="; distance:0; http_client_body; content:"/"; within:1; distance:2; http_client_body; content:"/201"; within:4; distance:2; http_client_body; content:"="; within:1; distance:1; http_client_body; content:"&windows="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1da7576e0c0327650915b79f9340fa84ff/analysis/; classtype:trojan-activity; sid:31824; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain flordeliskm26.com.br - Win.Trojan.Delf"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|flordeliskm26|03|com|02|br|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31825; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Delf variant HTTP Response"; flow:to_client,established; content:"Content-Length: 201|0D 0A|"; file_data; content:"<meta name=|22|token|22| content=|22 A4|"; depth:29; content:"|A4 22|/>"; within:4; distance:168; pcre:"/^\x3cmeta\x20name\x3d\x22token\x22\x20content\x3d\x22\xa4[A-F\d]{168}\xa4\x22\x2f\x3e$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31826; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; content:"/token/token.html HTTP/1.1|0D 0A|User-Agent: "; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer:"; http_header; pcre:"/\)\r\nHost\x3a\x20[a-z\d\x2e\x2d]{6,32}\r\nCache\x2dControl\x3a\x20no\x2dcache\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31827; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain eduarditopallares.mooo.com - Win.Trojan.VBKrypt"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|11|eduarditopallares|04|mooo|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/0a7e5ba1ba4c1ae22b7d6d30026ffb287911be4bdc8042363d29c93c3c71b3e7/analysis/; classtype:trojan-activity; sid:31829; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/trdpr/trde.html"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31916; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain vampire123.zapto.org - Win.Trojan.Disfa"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|vampire123|05|zapto|03|org|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/1f4b95d7fc20a66acc09f8246f5a936a8263b76aebf973efa45cfe255415d5d1/analysis/; classtype:trojan-activity; sid:31917; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain enemydont.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|enemydont|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31918; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain saltsecond.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|saltsecond|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31919; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain sellsmall.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|sellsmall|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31920; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain southblood.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|southblood|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31921; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain wheelreply.net - Win.Trojan.Symmi"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|wheelreply|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31922; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt"; flow:to_client,established; file_data; content:"%set_intercepts%"; fast_pattern:only; content:"%ban_contact%"; content:"%ebaylive%"; content:"%dep_host%"; content:"%relay_soxid%"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31923; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".php?method="; http_uri; content:"&mode=sox&v="; fast_pattern:only; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31924; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/notify.php"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31964; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chebri variant outbound connection"; flow:to_server,established; urilen:10; content:"/index.php HTTP/1.0|0D 0A|Host: google.com|0D 0A|User-Agent: "; fast_pattern:only; content:"0="; depth:2; http_client_body; content:"Accept-Encoding: none|0D 0A 0D 0A|"; http_header; pcre:"/User\x2dAgent\x3a\x20[A-F\d]{32}\r\n/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494daa2ebe36117a8333577d857a7c2d1ec6/analysis/1409853252/; classtype:trojan-activity; sid:31973; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Install|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/; classtype:trojan-activity; sid:31990; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Treck|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e295922322324e048657a5b4c0c4c9717a1a127e39ba45a03dc5d4d4bb2e523f/analysis/; classtype:trojan-activity; sid:31991; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"DeltaTicket_ET-RM-"; distance:0; nocase; content:".exe"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe; classtype:trojan-activity; sid:32008; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/beta/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:32130; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"form-data|3B| name=|22|PLUG|22 0D 0A|"; fast_pattern:only; http_client_body; content:"form-data|3B| name=|22|PC|22 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|SEG|22 0D 0A|"; distance:0; http_client_body; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f7215718184d5fa1a2057e5dd714d3cdbd00fe924334ecdd3cd5662c3c284d90/analysis/; classtype:trojan-activity; sid:32196; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection"; flow:to_server,established; urilen:27; content:"/blog-trabajos/n65dj17i1836"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6e805135679a2352463184acb06ffcaf0/analysis/; classtype:trojan-activity; sid:32225; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection"; flow:to_server,established; urilen:<10; content:"/update"; http_uri; content:"POST"; http_method; content:"|0D 0A|Accept-Encoding:|0D 0A|Connection: close|0D 0A|Content-Length: "; fast_pattern:only; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d866214d1f921028f9001ae399e9f8dec32ec8998c84d20d60a992164888a6fc/analysis; classtype:trojan-activity; sid:32367; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/and/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:32374; rev:2;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain tiptronic.soxx.us - Scarsi Trojan"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|tiptronic|04|soxx|02|us|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/403bca7e414291c4aecf8646ef6157e441d51915149fbcd2f70aabe05585c8ff/analysis/; classtype:trojan-activity; sid:32385; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"DELETED MALWARE-CNC Win.Trojan.Androm variant outbound connection attempt"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/and/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:ruleset community; reference:url,www.virustotal.com/en/file/b4d4e5ca72c0c5905bb3a4ed3ad51ee7202901887522d6899b5f48f8ef6f3dcd/analysis/; classtype:trojan-activity; sid:32531; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; urilen:16; content:"/cbrry/cbre.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01259cb00a4e3709815711b8b364a58bdd/analysis/1415285838/; classtype:trojan-activity; sid:32583; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"plug=NAO"; fast_pattern:only; http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"Content-Length: 8"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5OWY/; reference:url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25aed42ff76f96fc51cb3eada95ba57e59/analysis/; classtype:trojan-activity; sid:32584; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Geodo variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)|0D 0A|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd54b9eb18b323079da9552c4e3d8e62d1e/analysis/; classtype:trojan-activity; sid:32604; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Jenxcus variant outbound connection"; flow:to_server,established; content:"/seo.php?username=MAREYOLE&format=ptp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e59869f52c7060bb2ab1f57ef6757321d/analysis/; classtype:trojan-activity; sid:32605; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sodebral variant outbound connection"; flow:to_server,established; content:"/verifica/index.php?id="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32606; rev:2;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; dsize:<194; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established; content:"/11/form.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32852; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established; content:"/11/feed.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32853; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt"; flow:to_server,established; urilen:1; content:"GET"; http_method; content:"/wp-admin/"; fast_pattern:only; http_header; content:"Host: www.fedex.com|0D 0A|"; http_header; pcre:"/Referer\x3a\x20[\x20-\x7E]*?\/wp\x2dadmin\/[a-z\d\x2d]+?\.php\r\n/Hi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.hybrid-analysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f0331743fbee77e56/; classtype:trojan-activity; sid:32888; rev:1;) alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE SoftPulse variant HTTP response attempt"; flow:to_client,established; file_data; content:",|22|installerBehavior|22|:{|22|hideOnInstall|22|:"; fast_pattern:only; content:"{|22|time|22|:"; content:"|22|country|22|"; within:30; content:",|22|countryId|22|:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62afc417baa6333670e1e3011/analysis/1421687954/; classtype:trojan-activity; sid:33212; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; urilen:9; content:"POST"; http_method; content:"/2ldr.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/eefe5370b09a32a7b295c136073a8560958c4a58822a7da5b501a10543266c6e/analysis/1421697833/; classtype:trojan-activity; sid:33219; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36|0D 0A|Host: checkip.dyndns.org|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:misc-activity; sid:33224; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; dsize:136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/form2.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100,300}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbddecbc171c552e7fbe5aba516ef11b08f0/analysis/; classtype:trojan-activity; sid:33228; rev:3;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/r1xpr/r1xe.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527a9452f2dad3c63674afa7f6796d96f02/analysis/; classtype:trojan-activity; sid:33443; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"/m343ff4ufbnmm4uu4nf34m443frr/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db692fd5c9df3caee464f8b4125d46c1a4/analysis/; classtype:trojan-activity; sid:33444; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; dsize:214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"="; depth:2; http_client_body; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; pcre:"/[a-z]\x3d[a-f\d]{126}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33450; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/12/index.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9acb33fdd89a5ad98b0ec2649fb116a52/analysis/1422981882/; classtype:trojan-activity; sid:33453; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: http://www.pershop.com.br/"; fast_pattern:only; http_header; content:".php"; http_uri; content:!"Referer:"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06b5c3962e0d2b894f4794ac8ee5eee2eb/analysis/; classtype:trojan-activity; sid:33457; rev:2;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - ALIZER"; flow:to_server,established; content:"User-Agent|3A 20|ALIZER|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33519; rev:1;) alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zusy inbound CNC response"; flow:to_client,established; file_data; content:"|0A|Array|0A 28 0A 20 20 20 20 5B|"; fast_pattern; content:"] => "; within:20; pcre:"/\x0aArray\x0a\x28\x0a\x20{4}\x5b[a-z\d]{11}\x5d\x20\x3d\x3e\x20\d{16}\x0a\x29/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33520; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain tracking-recipient.net46.net - Win.Cossta"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|12|tracking-recipient|05|net46|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/file/cdaa661e2b5913997f4d905e0490bd8d9069a0c9f90a13944d5d3e1d6d1f2089/analysis/; classtype:trojan-activity; sid:33560; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent - Google Omaha - Win.Trojan.ExtenBro"; flow:to_server,established; content:"User-Agent: Google Omaha|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/34a3667846bbdea8dc92150e6766e3bac129a2b5fd4856c6f1512e794b90f23d/analysis/; classtype:trojan-activity; sid:33649; rev:1;) alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant MSSQL response"; flow:to_client,established; content:"|0B|m|00|a|00|c|00|a|00|v|00|e|00|r|00|d|00|e|00|m|00|2|00 06|m|00|a|00|s|00|t|00|e|00|r|00|"; fast_pattern:only; content:"|08|D|00|B|00|S|00|Q|00|0|00|0|00|1|00|7|00|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/22ccd94c7e99a17753218708cea1abe162d289b7a0105c3be9620bf224f36f3f/analysis/; classtype:trojan-activity; sid:34136; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection"; flow:to_server,established; urilen:20<>60; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; fast_pattern:only; http_header; content:"|3D|"; depth:2; offset:1; http_client_body; pcre:"/^[a-z]\x3d[a-f\d]{90,140}$/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d14f1d1e07bd116ed0faf5896438177f36a05adacf5af4f32910e313e9c1fd93/analysis/; classtype:trojan-activity; sid:34318; rev:2;)


More coming soon...



Valid HTML 4.01 Transitional Valid CSS!

Copyright © 2012 Avery Tarasov