Thursday, June 12, 2014

snort rules - Pandemiya Trojan - Zeus-based Variant - Revision 2

After some discussion it was recognised that the string which was being searched for in the URI may be randomly generated. It was suggested that "User-Agent: Hello 2.0" should be unique enough to capture any usage of this Zeus variant. As a result, I'm releasing Revision 2 of the rules. These two rules should capture any GET or POST request made from the variant leaving the "$HOME" network.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Va riant - POST request"; content:"POST"; http_method; nocase; content:"User|2D|Agent|3A 20|Hello|20|2|2E|0"; http_header; nocase; Priority: 1; Rev: 2; sid:4000001; reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - GET request"; content:"GET"; http_method; nocase; content:"User|2D|Agent|3A 20|Hello|20|2|2E|0"; http_header; nocase; Priority: 1; Rev: 2; sid:4000002; reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants)

No comments:

Post a Comment