# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
#
# This file contains (i) proprietary rules that were created, tested and certified by
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
# GNU General Public License (GPL), v2.
# 
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
# list of third party owners and their respective copyrights.
# 
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
# to the VRT Certified Rules License Agreement (v2.0).
#
#---------------------
# MALWARE-OTHER RULES
#---------------------

# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER known malicious email string - You have received a Hallmark E-Card"; flow:to_server,established; content:"Subject|3A| You have received a Hallmark E-Card!"; nocase; content:!"href=|22|http|3A|//www.hallmark.com/"; distance:0; metadata:service smtp; reference:url,www.virustotal.com/#/file/925a4a25cfa562a0330c8733cc697021/detection; reference:url,www.virustotal.com/en/file/bd1cfd7b15f70d131d8f3f013a4e6afb0807791b898d96d3cc2b57de576acf1f/analysis/; classtype:misc-activity; sid:19595; rev:9;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|"; depth:4; content:"0wns j0"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:5;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:6;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER connection to malware sinkhole"; flow:to_client,established; content:"malware-sinkhole|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:25018; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER connection to malware sinkhole"; flow:to_client,established; content:"X-Sinkhole|3A| Malware"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:30320; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER VBScript potential executable write attempt"; flow:to_client,established; file_data; content:"VBScript"; nocase; content:"4D5A"; content:"50450000"; distance:0; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ecfb852662d8127673332939f8b062645797e91bce6acae0615e24334a3df2ad/analysis/; classtype:trojan-activity; sid:28054; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-OTHER DirtJumper denial of service attack traffic"; flow:to_server,established; content:"login="; nocase; http_client_body; content:"&passwrd="; within:9; distance:2121; nocase; http_client_body; content:"&vb_login_md5password="; within:22; distance:235; nocase; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,ddos.arbornetworks.com/2013/06/dirtjumpers-ddos-engine-gets-a-tune-up-with-new-drive-variant/; classtype:attempted-dos; sid:27115; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; content:"/?q="; http_uri; content:"##1"; fast_pattern:only; http_uri; pcre:"/^\/\?q=[^&]*##1$/U"; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:misc-activity; sid:26934; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Clickserver ad harvesting redirection attempt"; flow:to_server,established; urilen:8; content:"/?id=##1"; fast_pattern:only; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, service http; classtype:misc-activity; sid:26933; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; fast_pattern:only; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26921; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTML.Dropper.Agent uri scheme detected"; flow:to_server,established; content:"/recurrence=always"; fast_pattern:only; http_uri; content:"adid="; nocase; http_uri; content:"loadfirst="; nocase; http_uri; content:"event_type="; nocase; http_uri; content:"signature="; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/105646b598cc60695243b89a49ba24814f83a93545e380be235573a0b95abd83/analysis/; classtype:trojan-activity; sid:26881; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-OTHER DNS data exfiltration attempt"; flow:to_server; content:"|00 00 00|"; offset:2; content:"|01|"; within:1; content:"|3A|"; within:1; distance:6; content:"|2D 2D 2D|"; within:3; distance:30; fast_pattern; content:"|3A|"; within:1; distance:25; content:"|01|"; within:1; distance:58; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,attack.mitre.org/techniques/T1020; classtype:policy-violation; sid:26803; rev:5;)
# alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER WIN.Worm.Beagle.AZ SMTP propagation detection"; flow:to_server,established; flowbits:isset,file.exe; content:"yuuvelntbgfkbkjhhkgjgvkvkggtkbbjbg"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2005-012714-0030-99&tabid=2; reference:url,www.virustotal.com/en/file/bd820efb2a5befb776bde2e47a7fb5ad98d191b04438a4c0b11289bd5d8abb50/analysis/; classtype:trojan-activity; sid:26802; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.ZertSecurity encrypted information leak"; flow:to_server,established; content:"/sms/d_m009.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blog.lookout.com/blog/2013/05/06/zertsecurity; classtype:trojan-activity; sid:26796; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Kazy download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"CLSID = s '{D4D8E7EF-EB95-405E-A9F2-886DBB4168F4}'"; fast_pattern:only; content:"ForceRemove {D4D8E7EF-EB95-405E-A9F2-886DBB4168F4} = s 'Norm Class'"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/787b20ee10650cc3bd0df34f210000e771e7d5d1d902ffbbd9f6786c46fd5e0b/analysis/; classtype:trojan-activity; sid:26778; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; fast_pattern:only; content:"Developer ID Application: Rajinder Kumar"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26671; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.KitM file download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"N37CXSRXLD"; fast_pattern:only; content:"Developer ID Application: Rajinder Kumar"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.f-secure.com/weblog/archives/00002554.html; reference:url,www.virustotal.com/en/file/6acd92d0dfe3e298d73b78a3dcc6d52ff4f85a70a9f2d0dcfe7ae4af2dd685cc/analysis/; classtype:trojan-activity; sid:26670; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; content:"|3B| filename="; http_header; content:"Delivery_Information_ID-"; fast_pattern:only; http_header; file_data; content:"Delivery_Information_ID-"; content:".exe"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:26660; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_server,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; fast_pattern:only; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:"; within:19; distance:151; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26532; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Backdoor.Cdorked download attempt"; flow:to_client,established; flowbits:isset,file.elf; file_data; content:"Jan 13 2013 10:57:10"; fast_pattern:only; content:"Cpanel::Easy::Apache"; content:"1.4.6|00|Architecture:"; within:19; distance:151; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26531; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;)
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; content:"|5C|"; within:1; content:"|00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00|"; distance:0; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26413; rev:2;)
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; content:".exe"; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26412; rev:2;)
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26411; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26382; rev:3;)
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service ftp-data, service imap, service pop3; classtype:trojan-activity; sid:26381; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_server,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service smtp; classtype:trojan-activity; sid:26380; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Double HTTP Server declared"; flow:to_client,established; content:"Server|3A| Apache"; http_header; content:"Server|3A|nginx"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:26369; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"Postal-Receipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*eb167039d64daa68c565052678c517a4*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:misc-activity; sid:26093; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER WIN.Trojan.Nap Malicious executable file download from webroot"; flow:to_server,established; content:"/newbos2.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, service http; classtype:bad-unknown; sid:25782; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingDetails.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingInfo.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; content:".php?php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"lama|27|s|27|hell"; fast_pattern:only; content:"execute"; nocase; content:"htmlspecialchars"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25097; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PHP.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"post|5B 27|tac|27 5D|"; fast_pattern:only; content:"login"; nocase; content:"admin"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25096; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"AnakDompu"; fast_pattern:only; content:"Convertbytes"; nocase; content:"explode"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/3730e3c259cb4f727f7a803c23716ceacd640dab102ec61c3bda3974a4ef0175/analysis/; classtype:trojan-activity; sid:25095; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PERL.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"Mass Defacement"; fast_pattern:only; content:"d:f:n"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:25094; rev:3;)
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool variant outbound connection"; flow:to_client,established; file_data; content:"cmd|3A 5B 2D|bindconnverb"; fast_pattern:only; content:"bindconnverb command received"; nocase; content:"verb |5B 2D|tran|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/cc10084096cf45e6529565590ec371198f997c6b3e9d09bb25a1b3cfa593a594/analysis/; classtype:trojan-activity; sid:25092; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; fast_pattern:only; content:"Can|27|t Load"; nocase; content:"Error Code: |5B 25|d|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25091; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wvs.exe|2C|iexplore.exe"; fast_pattern:only; content:"Can|27|t Load"; nocase; content:"Error Code: |5B 25|d|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:25090; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; fast_pattern:only; content:"One recv|5B 25|d|5D|"; nocase; content:"sockconsole.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25089; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Start Transmit"; fast_pattern:only; content:"One recv|5B 25|d|5D|"; nocase; content:"sockconsole.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/89acf767780e0d427b58310eb2776179cb963016b908e197c41a7504c6663d8c/analysis/; classtype:trojan-activity; sid:25088; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; fast_pattern:only; content:"Two send|5B 25|d|5D|"; nocase; content:"transerver.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25087; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"transmit produce over"; fast_pattern:only; content:"Two send|5B 25|d|5D|"; nocase; content:"transerver.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/09c0ab18b970a5f0dd35a591aeb8073a7fa1c6b6aac829a04ea66784e99b127f/analysis/; classtype:trojan-activity; sid:25086; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; fast_pattern:only; content:"Coded by fzk"; nocase; content:"|40 00|smb.txt"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25085; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"I got back a null buffer !"; fast_pattern:only; content:"Coded by fzk"; nocase; content:"|40 00|smb.txt"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:25084; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"!!!!=>iNF-"; fast_pattern:only; content:"|0D 0A|Priority: urgent|0D 0A|"; content:"|0D 0A|X-Priority: 1|0D 0A|"; pcre:"/[A-F0-9]{2}\-[A-F0-9]{2}\-[A-F0-9]{2}\-[A-F0-9]{2}\-[A-F0-9]{2}\-[A-F0-9]{2}|0D 0A|/"; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/CDAD6C1C11C130F193FBB76D09073DE40A27DC142D42AE30FF3430C991BE9831/analysis/; classtype:trojan-activity; sid:25031; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Narilam variant inbound attachemtn"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|27|##Maliran_PROG_COUNT|27| |00|Yes|00|No|00|Disactive"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/cf3c015d828784c7dffcba80619dba4cba970680ea5aa9f42f7356e79643a749/analysis/; classtype:trojan-activity; sid:25002; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Narilam variant outbound connection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|27|##Maliran_PROG_COUNT|27| |00|Yes|00|No|00|Disactive"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/cf3c015d828784c7dffcba80619dba4cba970680ea5aa9f42f7356e79643a749/analysis/; classtype:trojan-activity; sid:25001; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"MALWARE-OTHER itsoknoproblembro v2 UDP flood attempt"; flow:to_server; content:"|00 17 01 00 00 01 00 00 00 00 00 00 03 77 77 77|"; fast_pattern:only; content:"|00 00 01 00 01 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E|"; metadata:impact_flag red, service dns; reference:url,www.virustotal.com/file/87cbb24e5f6de2a788955572005b0577462a1ae570bfcf31dd99c7d5e0a0d373/analysis/1355347894/; classtype:attempted-dos; sid:24988; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"ngatur"; fast_pattern:only; content:"filenyo"; content:"ls -la"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/1e737d034848cc7cdec9940e09fd952c9357d24d25e430027649be91867e770e/analysis/; classtype:trojan-activity; sid:24900; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*c3284d*/"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:misc-activity; sid:24899; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*qhk6sa6g1c*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24884; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"/*km0ae9gr6m*/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,stopmalvertising.com/tag/km0ae9gr6m/; classtype:misc-activity; sid:24883; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_server,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; fast_pattern:only; content:".confr"; nocase; content:"rm -rf"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24800; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Imuler suspicious download"; flow:to_client,established; flowbits:isset,file.universalbinary; file_data; content:"/tmp/launch-ICS000"; fast_pattern:only; content:".confr"; nocase; content:"rm -rf"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24799; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"wieeeee"; fast_pattern:only; content:"md5 cracker"; nocase; content:"die()"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/eb8c799f47fad06026e5e454e3dc56902055c9c6c55f5f1ded4f88f53ac9076c/analysis/1350929362/; classtype:trojan-activity; sid:24727; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTML.Exploit.C99 suspicious file download"; flow:to_client,established; file_data; content:"<?php"; content:"closelog("; within:100; nocase; content:"getcwd("; within:250; nocase; content:"|3B| rm -rf /tmp/"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/file/9666386336e7b708bb3a6e971bcfdec772aec1d293f0d3f02939503d71f18424/analysis/; classtype:trojan-activity; sid:24648; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; fast_pattern:only; content:"InjectDllAndCallFunction"; nocase; content:"lsass.exe"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24622; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Error in cmdline|21|"; fast_pattern:only; content:"InjectDllAndCallFunction"; nocase; content:"lsass.exe"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b88279fc0b0c42a76df7f54219fe969d02603151cf3b79763dc58c9f72ceb95d/analysis/; classtype:trojan-activity; sid:24621; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; fast_pattern:only; content:"ntimfos|2E|eng"; nocase; content:"wsastartup"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24620; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5B|SERVER|5D|connection to |25|s|3A 25|d error"; fast_pattern:only; content:"ntimfos|2E|eng"; nocase; content:"wsastartup"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/c770b96d25c4f0102b3d0a728f75d683779308dca2283a0ebae69ac1e2672a52/analysis/; classtype:trojan-activity; sid:24619; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; fast_pattern:only; content:"cqo |00|cqto |00|"; nocase; content:"block socket|5B 25|d|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/8f6c0e43bab53df013ef522c83acf0278e9c3ed248f6d10560ae57e13fc3c0a3/analysis/; classtype:trojan-activity; sid:24618; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|23 23|auth|23 23 5B 25|s|5D| succ|21|"; fast_pattern:only; content:"cqo |00|cqto |00|"; nocase; content:"block socket|5B 25|d|5D|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/08f7c373abfa4dc80b015c518834a2f441544a75ae5091f7585bedd31c0e31e2/analysis/; classtype:trojan-activity; sid:24617; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"crack|5F|ftp|28|self|29|"; fast_pattern:only; content:"users |3D| |5B 27|root"; nocase; content:"do|5F|smb|5F|ck"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24616; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"crack|5F|ftp|28|self|29|"; fast_pattern:only; content:"users |3D| |5B 27|root"; nocase; content:"do|5F|smb|5F|ck"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/7c334a0a9ef6ab520366e0b20ba488e41b546aae34395c83c0d420102ad550cd/analysis/; classtype:trojan-activity; sid:24615; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"Type your current password to get root"; fast_pattern:only; content:"/usr/bin/chfn |2D|h"; nocase; content:"uid|3D|1000|28|hunger|29|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24614; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"Type your current password to get root"; fast_pattern:only; content:"/usr/bin/chfn |2D|h"; nocase; content:"uid|3D|1000|28|hunger|29|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/25748edee2e58e31b9f79d328ce9286b69f082db86467d6401dd23cb55b0cdfa/analysis/; classtype:trojan-activity; sid:24613; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"IO_wfile_underflow"; fast_pattern:only; content:"Gethostbyname|28 25|s|29|"; nocase; content:"stack smashing attack"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24612; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"IO_wfile_underflow"; fast_pattern:only; content:"Gethostbyname|28 25|s|29|"; nocase; content:"stack smashing attack"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/e01351a627a5db51607b1bffd7cb22eabf64d421436131a1ef24fc447d47a85d/analysis/; classtype:trojan-activity; sid:24611; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; file_data; content:"udp associate"; fast_pattern:only; content:"lost host1|21|"; nocase; content:"cmdsocks |3C|1.34|3E|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24610; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; file_data; content:"udp associate"; fast_pattern:only; content:"lost host1|21|"; nocase; content:"cmdsocks |3C|1.34|3E|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/af2a6b22b4f42d6b190f122c1c06abb0760b47c4e195cc0e5bd4e4fabf56b8cb/analysis/; classtype:trojan-activity; sid:24609; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; fast_pattern:only; content:"bindconnverb"; nocase; content:"cmd3"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24607; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"SSLTlsvc has removed successfully!"; fast_pattern:only; content:"bindconnverb"; nocase; content:"cmd3"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/655d1a21fbaf3571beee860a99d009ba0a604430fe42925d07eff48a97a3cf73/analysis/; classtype:trojan-activity; sid:24606; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; fast_pattern:only; content:"cmd.exe|00|command.com"; nocase; content:"700WP"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24605; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"msiveop.dat|00|msnetst.exe"; fast_pattern:only; content:"cmd.exe|00|command.com"; nocase; content:"700WP"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/3a99a24bd0420fa5176e68092b803f68a8d13d803de4f9d8d375256b132c8951/analysis/; classtype:trojan-activity; sid:24604; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; fast_pattern:only; content:"-conn"; nocase; content:"cmdsocks.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24603; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"bind port |5B 25|d|5D| faild!"; fast_pattern:only; content:"-conn"; nocase; content:"cmdsocks.pdb"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/410a85bb7522e86de3da953c69d3721752ef88b272ef47c86555a08c1767cdda/analysis/; classtype:trojan-activity; sid:24602; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; fast_pattern:only; content:"DBG: FIND"; nocase; content:"GetTempDir"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/ ; classtype:trojan-activity; sid:24601; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"p2x5142.dll failed"; fast_pattern:only; content:"DBG: FIND"; nocase; content:"GetTempDir"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/886ecd19280ab8f7dc962d85ad1b94b251592e412f4f41fe7c1596767e739489/analysis/ ; classtype:trojan-activity; sid:24600; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.MiniFlame C&C command response attempt"; flow:to_client,established; flowbits:isset,malware.miniflame; content:"|0D 0A|<!-- "; fast_pattern:only; pcre:"/^<!--\s+[\w]{52,}\s+-->\r\n/smi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24594; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; fast_pattern:only; content:"dump_usedhashes,u"; nocase; content:"iamservice"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24592; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"unable to start gsecdump"; fast_pattern:only; content:"dump_usedhashes,u"; nocase; content:"iamservice"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/0821986b379c8f823bffea73cb25819a8a807c381b084e962b5e51c78f187199/analysis/; classtype:trojan-activity; sid:24591; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk"; nocase; content:"|40 00|smb.txt"; nocase; content:"I got back a null buffer !"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24590; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Exploit.Hacktool suspicious file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Coded by fzk"; nocase; content:"|40 00|smb.txt"; nocase; content:"I got back a null buffer !"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/8edb0a8f701f8be6b33aa5e708411f914d7337b81ee48afa695fde31e2c86e03/analysis/; classtype:trojan-activity; sid:24589; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b76b6c8d5378e465c91f6283b6f11fdd58916cfe02923b3a48344174c2272bc0/analysis/; classtype:trojan-activity; sid:24516; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Lucuis malware file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"01234567890123456789eric0123456789012345678karen|00 00 00 00 25|SystemRoot"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24515; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Java.Trojan.Jacksbot jar download"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"key.dat3715pr52u"; fast_pattern:only; content:"B.class"; content:"v.class"; distance:0; content:"y.class"; distance:0; content:"a.class"; distance:0; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/7b654a13d36d3497636c4e934e06ba64/analysis/; classtype:trojan-activity; sid:24427; rev:3;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Java.Trojan.Jacksbot class download"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"FLOOD DRAIN"; fast_pattern:only; content:"#!/bin/bash"; content:".minecraft"; distance:0; content:"/etc/rc.common"; distance:0; content:"/etc/rc.local"; distance:0; content:".filezilla/recentservers.xml"; distance:0; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1087; reference:url,www.virustotal.com/file/7b654a13d36d3497636c4e934e06ba64/analysis/; classtype:trojan-activity; sid:24426; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D"; nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; fast_pattern:only; content:"|25 00|x"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24411; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Gauss download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|2E 00|B|00|a|00|c|00|k|00|u|00|p|00|0|00|D"; nocase; content:"t|00|a|00|r|00|g|00|e|00|t|00 2E 00|l|00|n|00|k"; fast_pattern:only; content:"|25 00|x"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/3eeaf4df50d375123d7c2c459634b7b43bdb7823198afd9399b7ec49548e3f12/analysis/; classtype:trojan-activity; sid:24410; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; fast_pattern:only; content:"RegisterService"; nocase; content:"ServiceMain"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24409; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Miniflame download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"icsvnt"; fast_pattern:only; content:"RegisterService"; nocase; content:"ServiceMain"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24408; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"MALWARE-OTHER itsoknoproblembro UDP flood"; flow:stateless,no_stream; dsize:>1300; content:"AAAAAAAAAAAAAAAAAAAA"; fast_pattern:only; detection_filter:track by_src, count 30, seconds 60; metadata:service dns; reference:url,arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/; classtype:attempted-dos; sid:24396; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"MALWARE-OTHER itsoknoproblembro TCP flood"; flow:to_server,established,no_stream; dsize:>1300; content:"AAAAAAAAAAAAAAAAAAAA"; depth:20; detection_filter:track by_src, count 30, seconds 30; metadata:impact_flag red, service http; reference:url,arstechnica.com/security/2012/10/ddos-attacks-against-major-us-banks-no-stuxnet/; classtype:attempted-dos; sid:24395; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Downloader inbound email"; flow:to_server,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24312; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Downloader download"; flow:to_client,established; file_data; content:"|01 7C F2 E8 39 0A 61 81 59 BD CA 62 00 BE CA 7D D3 F9 4E CC EB 48 20 5F EC D3 61 46 36 7B 36 EB|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/2256753459e529a64d5559e2f1154456187f49e84b5fe9fda8a180aadde9dc9f/analysis/; classtype:trojan-activity; sid:24311; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 84 (msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24262; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Lanman2.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 51 C7 45 FC 41 C7 B5 D2 C9 C3 66 A1 04 90 01 10 0F B7 C0 99 B9 1F CE 00 00 F7 F9 B9 03|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/763fec95b3c5daf7be6dbdae16355fde4829191956bf3c41e08fee1901872d78/analysis/; classtype:trojan-activity; sid:24261; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords"; nocase; content:"Dump passwords from files"; within:150; nocase; content:"pwdump"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24260; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PwDump7.exe download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Dump system passwords"; nocase; content:"Dump passwords from files"; within:150; nocase; content:"pwdump"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b20f667c2539954744ddcb7f1d673c2a6dc0c4a934df45a3cca15a203a661c88/analysis/; classtype:trojan-activity; sid:24259; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24258; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER mygeeksmail.dll download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"improve performance|00|check=|00 00|REMOTE_ADDR"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/b884f723d4c775cc1c86019a19ba922fd4060e5456883914962daf5ddef9a9ec/analysis/; classtype:trojan-activity; sid:24257; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; content:"a=YWZmaWQ9MDUyODg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt sent over email"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"[+++fpnesnpr+++]"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24145; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"[+++fpnesnpr+++]"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24144; rev:4;)
alert udp $HOME_NET any -> $HOME_NET 137 (msg:"MALWARE-OTHER Dorifel/Quervar/XDocCrypt query for machine name KASPERSKY"; content:"|01 10 00 01|"; depth:4; offset:2; content:" ELEBFDFAEFFCFDELFJCACACACACACAAA|00 00 20 00 01|"; depth:38; offset:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ns; reference:url,blog.eset.com/2012/08/21/quervar-induc-c-reincarnate; reference:url,hitmanpro.wordpress.com/2012/08/11/joint-strike-force-against-dorifel/; classtype:trojan-activity; sid:24143; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to an MP3 file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".mp3"; nocase; http_uri; pcre:"/\.mp3([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24110; classtype:non-standard-protocol; sid:24110; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a ZIP file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".zip"; nocase; http_uri; pcre:"/\.zip([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24109; classtype:non-standard-protocol; sid:24109; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a RAR file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".rar"; nocase; http_uri; pcre:"/\.rar([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24108; classtype:non-standard-protocol; sid:24108; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a BMP file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".bmp"; nocase; http_uri; content:!"Content-Type|3A| multipart/form-data|3B|"; http_header; pcre:"/\.bmp([\?\x5c\x2f]|$)/Usmi"; metadata:impact_flag red, service http; reference:url,snort.org/rule_docs/1-24107; classtype:non-standard-protocol; sid:24107; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a PNG file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".png"; nocase; http_uri; pcre:"/\.png([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24106; classtype:non-standard-protocol; sid:24106; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a GIF file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".gif"; nocase; http_uri; content:!"widgetserver.com"; nocase; http_header; pcre:"/\.gif([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24105; classtype:non-standard-protocol; sid:24105; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a JPEG file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".jpeg"; nocase; http_uri; pcre:"/\.jpeg([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24104; classtype:non-standard-protocol; sid:24104; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a JPG file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".jpg"; nocase; http_uri; pcre:"/\.jpg([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,snort.org/rule_docs/1-24103; classtype:non-standard-protocol; sid:24103; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_server,established; content:".ru/"; nocase; http_uri; content:"/?"; distance:0; http_uri; content:"|0D 0A|"; within:2; distance:1; http_uri; pcre:"/\x2eru\/\w+\?\d$/miU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:24099; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Malvertising redirection campaign - blackmuscat"; flow:to_server,established; content:"/blackmuscat"; fast_pattern:only; http_uri; pcre:"/\x2fblackmuscats?\x3f\d/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23833; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Malvertising redirection page"; flow:to_client,established; file_data; content:"|22| height=0 width=0></iframe>|27 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:trojan-activity; sid:23798; rev:4;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Malvertising network attempted redirect"; flow:to_client,established; file_data; content:".php|22| name=|22|Twitter|22| scrolling=|22|auto|22| frameborder=|22|no|22| align=|22|center|22| height=|22|2|22| width=|22|2|22|></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1102; reference:url,labs.sucuri.net/?details=pairedpixels.com; classtype:trojan-activity; sid:23620; rev:5;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Malvertising redirection attempt"; flow:to_client,established; file_data; content:"|27 20|width=|27|6|27 20|height=|27|10|27 20|style=|27|position|3A 20|absolute|3B 20|left|3A 20 2D|1000px|3B 20|top|3A 20 2D|1000px|3B 20|z-index|3A 20|1|3B 27 3E 3C 2F|iframe|3E 22 29 3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,labs.sucuri.net/?malware; classtype:trojan-activity; sid:23618; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER potential clickjacking via css pointer-events attempt"; flow:to_client,established; file_data; content:"<style"; nocase; content:"text/css"; within:25; nocase; content:"position"; distance:0; nocase; content:"absolute"; within:15; nocase; content:"pointer-events"; within:100; fast_pattern; nocase; content:"none"; within:10; nocase; content:!"</div>"; within:10; nocase; pcre:"/position\s*?\x3a\s*?absolute\s*?\x3b[^\x7d]*?pointer-events\s*?\x3a\s*?none\s*?\x3b/i"; metadata:service http; reference:url,jsfiddle.net/gcollazo/UMyEm/embedded/result/; classtype:policy-violation; sid:23350; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER NeoSploit Malvertising - URI Requested"; flow:to_server,established; urilen:34; content:"/?"; depth:2; http_uri; content:" *|3B| q=.2, */*|3B| q=.2"; fast_pattern:only; http_header; pcre:"/\/\?[0-9a-f]{32}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:23058; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; fast_pattern:only; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; classtype:trojan-activity; sid:22061; rev:7;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER nikjju script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|"; nocase; content:"|2F|r.php"; within:50; fast_pattern; nocase; metadata:policy balanced-ips alert, policy security-ips alert, service http; reference:url,isc.sans.edu/diary.html?storyid=13036; classtype:misc-activity; sid:21949; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"302"; http_stat_code; content:"=_"; content:"_|5C 3B| domain="; within:11; distance:1; pcre:"/^[a-z]{5}\d=_\d_/C"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; content:"/hi.cgi"; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:6;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; content:"/in.cgi"; http_header; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Hsmi"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:9;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; isdataat:15,relative; content:!"id="; within:3; nocase; content:!"&"; within:6; content:!"="; within:6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|default)\b/smi"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:14;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000="; fast_pattern; content:"SL_"; http_cookie; content:"_0000="; within:8; http_cookie; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:8;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Possible malicious jar file download page"; flow:to_client, established; file_data; content:"String.fromCharCode"; nocase; content:".jar|27|"; content:"%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%"; fast_pattern:only; metadata:service http; classtype:attempted-user; sid:21642; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Possible banking trojan with known banking strings"; flow:to_client,established; file_data; content:"bankofamerica.com"; content:"capitalonebank.com"; content:"citigroup.com"; content:"capitalonebank.com"; content:"ebanking-services.com"; content:"mandtbank.com"; fast_pattern:only; metadata:service http; classtype:trojan-activity; sid:21641; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-OTHER Horde javascript.php href backdoor"; flow:to_server,established; content:"/horde/services/javascript.php"; fast_pattern; http_uri; content:"href="; http_cookie; content:"file=open_calendar.js"; http_client_body; metadata:service http; reference:cve,2012-0209; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; classtype:trojan-activity; sid:21555; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Tong Keylogger outbound connection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"KeyLogged"; distance:0; nocase; content:"from"; distance:0; nocase; content:"|5B|Sync"; nocase; content:" Manager|5D|"; distance:0; nocase; content:"|2D|"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/5251107a201ddc5bd3d1fdc5b2f64bf1a4480f0f95e92c69a150a41078b1e4e5/analysis/; classtype:trojan-activity; sid:19901; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Tong Keylogger outbound connection"; flow:to_server,established; flowbits:isset,backdoor.tongkeylogger; content:"|5B|Sync"; nocase; content:" Manager|5D|"; distance:0; nocase; content:"|2D|"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/5251107a201ddc5bd3d1fdc5b2f64bf1a4480f0f95e92c69a150a41078b1e4e5/analysis/; classtype:trojan-activity; sid:19900; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Tong Keylogger outbound connectiooutbound connection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"KeyLogged"; distance:0; nocase; content:"from"; distance:0; nocase; flowbits:set,backdoor.tongkeylogger; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/5251107a201ddc5bd3d1fdc5b2f64bf1a4480f0f95e92c69a150a41078b1e4e5/analysis/; classtype:trojan-activity; sid:19899; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER PWS.Win32.Scofted keylogger runtime detection"; flow:to_server,established; content:"STOR JUNIPER-"; depth:13; nocase; content:".log|0D 0A|"; within:10; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/1ed945316f12208e4d45633d78de79eade9af9904f9817e447d39148668e2d75/analysis/; classtype:trojan-activity; sid:19741; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger Monitor.win32.perflogger"; flow:to_server,established; flowbits:isset,w32.perflogger; content:"MKD"; nocase; pcre:"/MKD\s+\d{4}\x2d(\d{2}\x2d){4}/i"; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:19393; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger Monitor.win32.perflogger"; flow:to_server,established; content:"USER|20|nacky8|0D 0A|"; nocase; flowbits:set,w32.perflogger; flowbits:noalert; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:19392; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER generic IRC botnet connection"; flow:to_server,established; content:"USER|20|"; content:"|20 30 20 30 20 3A|"; within:32; distance:2; metadata:impact_flag red, service ircd; reference:url,www.virustotal.com/file/209D49E1A327919329BD8E737A133A33826668D4678DF56330CC7AF58A80B3D0/analysis/; reference:url,www.virustotal.com/file/4bf35e8ca725ccb4a3ca3be464141b49a5f0e9292aed5dd244235edf7e809626/analysis/; reference:url,www.virustotal.com/file/4c2c745bde3ada3c266d9d341c52aefc4b3a79dfc42e269c6af04119e6f13aa7/analysis/; classtype:trojan-activity; sid:19362; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger WL-Keylogger outbound connection"; flow:to_server,established; flowbits:isset,Malware_Keylogger_InitConnection; content:"ServerDetails|7C|"; depth:14; nocase; pcre:"/^ServerDetails\x7c[^\r\n]*\x7c[^\r\n]*\x7c/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/k/keylogger/Keylogger_darkdays.html; classtype:trojan-activity; sid:19325; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Keylogger WL-Keylogger inbound connection"; flow:to_client,established; content:"ServerDetails"; depth:13; nocase; flowbits:set,Malware_Keylogger_InitConnection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/k/keylogger/Keylogger_darkdays.html; classtype:trojan-activity; sid:19324; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack"; flow:established,to_server,no_stream; content:"U dun goofed"; fast_pattern:only; detection_filter:track by_src, count 10, seconds 2; reference:url,attack.mitre.org/techniques/T1078; reference:url,sourceforge.net/projects/loic/; classtype:attempted-dos; sid:19319; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Dos.Tool.LOIC UDP default U dun goofed attack"; flow:stateless,no_stream; content:"U dun goofed"; fast_pattern:only; detection_filter:track by_src, count 10, seconds 2; reference:url,attack.mitre.org/techniques/T1078; reference:url,sourceforge.net/projects/loic/; classtype:attempted-dos; sid:19318; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger Ardamax keylogger runtime detection - http"; flow:to_server,established; content:"/pub/u1.php?v="; http_uri; content:"&pr="; http_uri; content:"&id="; http_uri; content:"&rn="; http_uri; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.malware-control.com/statics-pages/fc321d8376cc9fad4cf02453d3cd353c.php; classtype:trojan-activity; sid:19106; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER lizamoon script injection"; flow:to_client,established; file_data; content:"script src=http|3A 2F 2F|"; nocase; content:"|2F|ur.php"; within:50; fast_pattern; nocase; metadata:service http; reference:url,isc.sans.edu/diary.html?storyid=10642; classtype:misc-activity; sid:18604; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger egyspy keylogger 1.13 runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"EgySpy"; distance:0; nocase; content:"Victim"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*EgySpy\s+Victim/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.sunbeltsecurity.com/threatdisplay.aspx?name=EgySpy&tid=48410&cs=6ECDDEC7712C7CE701773045B519AE38; classtype:successful-recon-limited; sid:16455; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger cheat monitor runtime detection"; flow:to_server,established; content:"Report"; nocase; content:"@"; nocase; content:"name=cheatmonitorR_SCREEN.DATETIME."; fast_pattern:only; pcre:"/Report\x20\x40.*name\x3dcheatmonitorR\x5fSCREEN\x2eDATETIME/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453141479; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-090408-5607-99&tabid=2; classtype:successful-recon-limited; sid:16137; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware owlforce runtime detection - remote server #2"; flow:to_server,established; content:"/status.php?"; nocase; http_uri; content:"searchurl="; http_uri; content:"version="; http_uri; content:"act="; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"Nimo Software HTTP Retriever"; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*Nimo\x20Software\x20HTTP\x20Retriever/smiH"; metadata:service http; reference:url,spywaresignatures.com/details/owlforce.pdf; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113210; classtype:successful-recon-limited; sid:16133; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware owlforce runtime detection - remote server #1"; flow:to_server,established; content:"/success.php?"; nocase; http_uri; content:"itemname="; http_uri; content:"User-Agent|3A| Nimo Software HTTP Retriever"; fast_pattern:only; metadata:service http; reference:url,spywaresignatures.com/details/owlforce.pdf; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113210; classtype:successful-recon-limited; sid:16132; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware adclicker trojan zlob.dnz runtime detection - ads"; flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.gooochi.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2egooochi\x2ebiz/smiH"; metadata:service http; classtype:successful-recon-limited; sid:16131; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger lord spy pro 1.4 runtime detection"; flow:to_server,established; content:"POST //"; nocase; content:"Host|3A| www.fakemailer.info"; fast_pattern:only; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:16130; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger kamyab Keylogger v.3 runtime detection"; flow:to_server,established; content:"/ahmad.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.kamyab-hack.com"; distance:0; fast_pattern; nocase; http_header; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/k/keylogger/Kamyabkeylogger3.0.html; classtype:successful-recon-limited; sid:16129; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger spyyahoo v2.2 runtime detection"; flow:to_server,established; content:"RETR k3ylogger.txt"; fast_pattern:only; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/s/spyyahoo/Spyyahoo2.2.html; classtype:successful-recon-limited; sid:16125; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware rightonadz.biz adrotator runtime detection - ads"; flow:to_server,established; content:"/bc/123kah.php"; nocase; content:"Host|3A|"; nocase; http_header; content:"ads.targetedbanner.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ads\x2etargetedbanner\x2ebiz/smiH"; metadata:service http; reference:url,www.sophos.com/security/analyses/adware-and-puas/rightonadz.html; classtype:successful-recon-limited; sid:16117; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware rightonadz.biz adrotator runtime detection - pass user info to remote server"; flow:to_server,established; content:"/bc/ip.php"; nocase; content:"Host|3A| ads.targetedbanner.biz"; distance:0; nocase; metadata:service http; reference:url,www.sophos.com/security/analyses/adware-and-puas/rightonadz.html; classtype:successful-recon-limited; sid:16116; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ultimate Keylogger pro runtime detection"; flow:to_server,established; content:"Subject|3A| Ultimate Keylogger Report from"; fast_pattern:only; content:"Activity Report from Ultimate"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453139331; reference:url,www.411-spyware.com/remove-ultimate-keylogger; classtype:successful-recon-limited; sid:14075; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spybosspro 4.2 runtime detection"; flow:to_server,established; content:"Subject|3A| SpyBoss Pro - Log File Mailing"; fast_pattern:only; content:"X-Mailer|3A| SpyBoss Pro"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.2-spyware.com/remove-spybosspro.html; reference:url,www.411-spyware.com/remove/spyboss-pro; classtype:successful-recon-limited; sid:14074; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger emptybase j runtime detection"; flow:to_server,established; content:"/th/script.php?"; nocase; content:"boundary=--__abcd-xyz789__--"; distance:0; nocase; content:"name=|22|Module|22 0D 0A 0D 0A|"; distance:0; nocase; content:"IE"; distance:0; nocase; pcre:"/name\x3d\x22Module\x22\x0d\x0a\x0d\x0a(IEGrabber|IEInjector|IEFaker|IEKeylogger|IETanGrabber|IEScrGrabber|IECertGrab|IEFileGrabber)/smi"; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453117299; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malencpkay.html; classtype:successful-recon-limited; sid:14065; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware rightonadz.biz adrotator runtime detection - ads"; flow:to_server,established; content:"/bc/123kah.php"; fast_pattern:only; content:"Host|3A|"; nocase; http_header; content:"rightonadz.biz"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*rightonadz\x2ebiz/smiH"; metadata:service http; reference:url,www.askmehelpdesk.com/spyware-viruses-etc/pop-up-http-rightonadz-biz-bc-123kah-php-151385.html; reference:url,www.nettrafficchat.com/showthread.php?t=1347; classtype:successful-recon-limited; sid:13933; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware adclicker-fc.gen.a runtime detection"; flow:to_server,established; content:"/?"; nocase; http_uri; content:"cmpname="; nocase; http_uri; content:"gai="; nocase; http_uri; content:"gli="; nocase; http_uri; content:"gff="; nocase; http_uri; content:"ed="; nocase; http_uri; content:"ex="; nocase; http_uri; content:"eu="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"intervarioclick.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*intervarioclick\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_144220.htm; classtype:successful-recon-limited; sid:13867; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware adclicker-fc.gen.a runtime detection - popup ads"; flow:to_server,established; content:"/r.php?"; nocase; http_uri; content:"sid="; nocase; http_uri; content:"pn="; nocase; http_uri; content:"aid="; nocase; http_uri; content:"said="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"directnameservice2008.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*directnameservice2008\x2ecom/smiH"; metadata:service http; reference:url,vil.nai.com/vil/content/v_144220.htm; classtype:successful-recon-limited; sid:13866; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger refog Keylogger runtime detection"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"NextPart_2"; nocase; content:"<TIT=|0D 0A|LE>REFOG log</TITLE>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,secure.shareit.com/shareit/product.html?productid=219815&sessionid=890841208&random=d4da8e41f97c6c623e18f4b52ad63142; reference:url,www.refog.com; classtype:successful-recon-limited; sid:13812; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger kgb employee monitor runtime detection"; flow:to_server,established; content:"<TIT= LE> KGB log </TITLE>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/spydet_26548_kgb_employee_monitor.html; reference:url,www.spywareremove.com/removeKGBKeylogger.html; classtype:successful-recon-limited; sid:13778; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware syscleaner runtime detection - presale traffic"; flow:to_server,established; content:"/order.php?"; nocase; http_uri; content:"uid="; nocase; http_uri; content:"id="; nocase; http_uri; content:"context="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.sys-cleaner.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Esys-cleaner\x2Ecom/smiH"; metadata:service http; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453123831; reference:url,spywaredetector.net/spyware_encyclopedia/Fake%20Anti%20Spyware.SysCleaner.htm; classtype:successful-recon-limited; sid:13776; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger cyber sitter runtime detection"; flow:to_server,established; flowbits:isset,cyberSitter_detection; content:"CYBERsitter"; nocase; content:"appears"; distance:0; nocase; content:"to"; distance:0; nocase; content:"be"; distance:0; nocase; content:"functioning"; distance:0; nocase; pcre:"/CYBERsitter\s+appears\s+to\s+be\s+functioning/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=CyberSitter&threatid=30845; reference:url,www.spywareguide.com/spydet_1056_cybersitter.html; classtype:successful-recon-limited; sid:13768; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger cyber sitter runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"CYBERsitter"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"for|3A|"; distance:0; nocase; pcre:"/Subject\x3A[^\r\n]*CYBERsitter\s+Report\s+for\x3A/smi"; flowbits:set,cyberSitter_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13767; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger family cyber alert runtime detection - smtp traffic for recorded activities"; flow:to_server,established; content:"thread-index|3A| Acio"; nocase; content:"Subject|3A| Email from Family Cyber Alert"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Family%20Cyber%20Alert&threatid=48570; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453117297; classtype:successful-recon-limited; sid:13651; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger easy Keylogger runtime detection"; flow:to_server,established; content:"DQp+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fn5+fg0KV2luZG93IFRpd"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Easy%20Keylogger&threatid=43573; reference:url,spywaresignatures.com/details.php?spyware=easykeyloggerfree5.0; classtype:successful-recon-limited; sid:13642; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger sys keylog 1.3 advanced runtime detection"; flow:to_server,established; content:"This is the file kept 'LOG', of the program Sys="; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Sys_Keylog&threatid=48624; reference:url,spywaredetector.net/spyware_encyclopedia/Spyware.SysKeylog.htm; classtype:successful-recon-limited; sid:13568; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger msn spy monitor runtime detection"; flow:to_server,established; content:"<TITLE>MSN Spy Monitor Logging Report</TITLE>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=MSN%20Spy%20Monitor&threatid=41180; classtype:successful-recon-limited; sid:13567; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger smart pc Keylogger runtime detection"; flow:to_server,established; content:"Subject|3A| Smart PC Keylogger - Log File Mailing"; fast_pattern:only; content:"X-Mailer|3A| Smart PC Keylogger"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Smart%20Pc%20Keylogger&threatid=48645; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453124511; classtype:successful-recon-limited; sid:13494; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection"; flow:to_server,established; flowbits:isset,FindNotGuardDog_detection; content:"X-Mailer|3A|"; nocase; content:"FindNot"; distance:0; nocase; content:"GuardDog"; distance:0; nocase; pcre:"/^X\x2DMailer\x3A[^\r\n]*FindNot\s+GuardDog/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=FindNot%20GuardDog&threatid=41463; reference:url,www.findnot.eu/pg_guarddog.htm; classtype:successful-recon-limited; sid:13480; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger findnot guarddog 4.0 runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"|22|FindNot"; distance:0; nocase; content:"GuardDog|22|"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*\x22FindNot\s+GuardDog\x22/smi"; flowbits:set,FindNotGuardDog_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13479; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection"; flow:to_server,established; flowbits:isset,EmailSpyMonitor_detection; content:"<title>"; nocase; content:"Email"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Monitor"; distance:0; nocase; content:"Logging"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\x3CTitle\x3EEmail\s+Spy\s+Monitor\s+Logging\s+Report\x3C\x2Ftitle\x3E/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453122634; reference:url,www.spywareremove.com/removeEmailSpyMonitor.html; classtype:successful-recon-limited; sid:13281; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger email spy monitor 6.9 runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Chilkat"; distance:0; nocase; content:"Software"; distance:0; nocase; content:"Inc"; distance:0; nocase; pcre:"/^X\x2DMailer\x3A[^\r\n]*Chilkat\s+Software\s+Inc/smi"; flowbits:set,EmailSpyMonitor_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13280; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection"; flow:to_server,established; flowbits:isset,AdvancedSpy_detection; content:"filename="; nocase; content:"|22|as_report_"; distance:0; nocase; content:".zip|22|"; distance:0; nocase; pcre:"/filename\s*\x3D\s*\x22as\x5Freport\x5F[^\x22]+\x2Ezip\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Advanced%20Spy&threatid=127939; reference:url,www.advancedspy.net/; classtype:successful-recon-limited; sid:13279; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger advanced spy 4.0 runtime detection"; flow:to_server,established; content:"Advanced"; nocase; content:"Spy"; distance:0; nocase; content:"Report"; distance:0; nocase; content:"for"; distance:0; nocase; pcre:"/Advanced\s+Spy\s+Report\s+for/smi"; flowbits:set,AdvancedSpy_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13278; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection"; flow:to_server,established; flowbits:isset,ComputerMonitor11_detection; content:"Computer"; nocase; content:"Monitor"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Lastcomfort"; distance:0; nocase; pcre:"/Computer\s+Monitor\s+by\s+Lastcomfort/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Computer%20Monitor&threatid=48576; classtype:successful-recon-limited; sid:13244; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computer monitor 1.1 by lastcomfort runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Computer"; distance:0; nocase; content:"Monitor"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*Computer\s+Monitor/smi"; flowbits:set,ComputerMonitor11_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13243; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection"; flow:to_server,established; flowbits:isset,ActiveKeylogger392_detection; content:"filename=|22|"; nocase; content:"akllogs.zip|22|"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*akllogs\x2Ezip\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Active%20Key%20Logger&threatid=1622; classtype:successful-recon-limited; sid:13237; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger active Keylogger 3.9.2 runtime detection"; flow:to_server,established; content:"Attached"; nocase; content:"|28|ZIP"; distance:0; nocase; content:"file|29|"; distance:0; nocase; content:"to"; distance:0; nocase; content:"this"; distance:0; nocase; content:"email"; distance:0; nocase; content:"are"; distance:0; nocase; content:"the"; distance:0; nocase; content:"activity"; distance:0; nocase; content:"logs"; distance:0; nocase; content:"that"; distance:0; nocase; content:"you"; distance:0; nocase; content:"have"; distance:0; nocase; content:"requested."; distance:0; nocase; pcre:"/Attached\s+\x28ZIP\s+file\x29\s+to\s+this\s+email\s+are\s+the\s+activity\s+logs\s+that\s+you\s+have\s+requested\x2E/smi"; flowbits:set,ActiveKeylogger392_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:13236; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection"; flow:to_server,established; flowbits:isset,SpyLanternKeylogger6_detection; content:"filename=|22|"; nocase; content:".ltr"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*\x2Eltr\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Spy%20Lantern%20Keylogger&threatid=29156; classtype:successful-recon-limited; sid:12793; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spy lantern Keylogger pro 6.0 runtime detection"; flow:to_server,established; content:"Attachment"; nocase; content:"contains"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Lantern"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; pcre:"/Attachment\s+contains\s+Spy\s+Lantern\s+Keylogger.*log\s+file\x2E/smi"; flowbits:set,SpyLanternKeylogger6_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12792; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware partypoker runtime detection"; flow:to_server,established; content:"/utility/client/images/ProductVersion.txt"; fast_pattern; nocase; http_uri; content:"Host|3A| www.partycasino.com"; nocase; metadata:service http; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PartyPoker&threatid=44086; classtype:successful-recon-limited; sid:12790; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection"; flow:to_server,established; flowbits:isset,PoweredKeylogger22_detection; content:"Please,"; nocase; content:"find"; distance:0; nocase; content:"the"; distance:0; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; content:"|28|PKL|29|"; distance:0; nocase; content:"attached"; distance:0; nocase; content:"to"; distance:0; nocase; content:"this"; distance:0; nocase; content:"e-mail."; distance:0; nocase; pcre:"/Please\x2C\s+find\s+the\s+log\s+file\s+\x28PKL\x29\s+attached\s+to\s+this\s+e\x2Dmail\x2E/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/securityadvisor/pest/pest.aspx?id=453097852; classtype:successful-recon-limited; sid:12761; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger powered Keylogger 2.2 runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Powered"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Logs"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*Powered\s+Keylogger\s+Logs/smi"; flowbits:set,PoweredKeylogger22_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12760; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection"; flow:to_server,established; flowbits:isset,DigiWatcher232_detection; content:"Motion"; nocase; content:"detected!"; distance:0; nocase; content:"Watcher"; distance:0; nocase; content:"PC"; distance:0; nocase; content:"IP"; distance:0; nocase; content:"address|3A|"; distance:0; nocase; pcre:"/Motion\s+detected\x21/smi"; pcre:"/Watcher\s+PC\s+IP\s+address\x3A/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/ca/en/securityadvisor/pest/pest.aspx?id=453119363; classtype:successful-recon-limited; sid:12759; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger/RAT digi watcher 2.32 runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"Digi-Watcher.com"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Digi\x2DWatcher\x2Ecom/smi"; flowbits:set,DigiWatcher232_detection; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12758; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger net vizo 5.2 runtime detection"; flow:to_server,established; content:"This is an alert notification from NetVizor"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,ca.com/us/securityadvisor/pest/pest.aspx?id=453097457; classtype:successful-recon-limited; sid:12698; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware browser accelerator runtime detection - pass user information to server"; flow:to_server,established; content:"/data/track.aspx"; nocase; http_uri; content:"Host|3A| data.browseraccelerator.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/spydet_1253_browseracclerator.html; classtype:successful-recon-limited; sid:12697; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger windows family safety 2.0 runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Windows Supervisor Report"; distance:0; nocase; content:"<title>Windows Family Safety</title>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453117306; classtype:successful-recon-limited; sid:12625; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger inside website logger 2.4 runtime detection"; flow:to_server,established; content:"Subject|3A| Email Reports from Inside Website Logger"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.programurl.com/inside-website-logger.htm; classtype:successful-recon-limited; sid:12480; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-OTHER Keylogger PaqKeylogger 5.1 runtime detection - ftp"; flow:to_client,established; content:"version 4.0 key|3A 0D 0A|~~~~~~~~~~~~~~~~~~~~~~~~~~"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=2709; classtype:successful-recon-limited; sid:12379; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger mg-shadow 2.0 runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Mailer"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Mailer/smi"; content:"+++ MG-Shadow 2.0"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,tweakyourwindows.com/Software-Details/19993/MGShadow-Computer-monitoring-software.html; reference:url,www.softpedia.com/progDownload/MGShadow-Download-44651.html; classtype:successful-recon-limited; sid:12372; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger overspy runtime detection"; flow:to_server,established; content:"Subject|3A| OverSpy Surveillance Data"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,secunia.com/virus_information/27591/spyware-overspy/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2006-021412-4303-99; classtype:successful-recon-limited; sid:12226; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger logit v1.0 runtime detection"; flow:to_server,established; content:"Subject|3A| Logger Results"; nocase; content:"|0D 0A 0D 0A|<|7C|"; distance:0; content:"|7C|>|0D 0A 0D 0A|"; distance:0; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.trojanfrance.com/index.php?dir=KeyLoggers/; classtype:successful-recon-limited; sid:12141; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Trackware stealth website logger 3.4 runtime detection"; flow:to_server,established; content:"Subject|3A| Email Reports from Stealth Website Logger"; fast_pattern:only; metadata:service smtp; reference:url,www.programurl.com/stealth-website-logger.htm; classtype:successful-recon-limited; sid:12139; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger Keylogger king home 2.3 runtime detection"; flow:to_server,established; content:"<TIT=|0D 0A|LE>|0D 0A|King log|0D 0A|</TITLE>|0D 0A|"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097591; classtype:successful-recon-limited; sid:12137; rev:7;)
# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun"; flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Fun_detection; content:"WND"; depth:3; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12136; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - fun"; flow:to_server,established; content:"fun"; depth:3; flowbits:set,RemoteKeyLog.b.Fun_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12135; rev:4;)
# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url"; flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Url_detection; content:"WND"; depth:3; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12134; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - open url"; flow:to_server,established; content:"url"; depth:3; flowbits:set,RemoteKeyLog.b.Url_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12133; rev:4;)
# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging"; flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Keylogging_detection; content:"KEY"; depth:3; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12132; rev:5;)
alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - keylogging"; flow:to_client,established; content:"WND"; depth:3; flowbits:set,RemoteKeyLog.b.Keylogging_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12131; rev:4;)
# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info"; flow:to_client,established; flowbits:isset,RemoteKeyLog.b.Info_detection; content:"Product Name"; depth:12; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12130; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - get sys info"; flow:to_server,established; content:"info"; depth:4; flowbits:set,RemoteKeyLog.b.Info_detection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:12129; rev:4;)
# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger remotekeylog.b runtime detection - init connection"; flow:to_client,established; content:"WNDkServer"; depth:10; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Remote%20Keylogger&threatid=10445; reference:url,www.downloadtopc.com/spywareadware/993/3560/Win32RemoteKeyLogb.html; classtype:successful-recon-limited; sid:12128; rev:4;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger apophis spy 1.0 runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"A-Spy"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*A-Spy[^\r\n]*Server/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072636; classtype:successful-recon-limited; sid:12049; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computer Keylogger runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"ComputerKeylogger.com"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*ComputerKeylogger\x2Ecom/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098303; classtype:successful-recon-limited; sid:12048; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware uplink runtime detection"; flow:to_server,established; content:"/Response2.aspx"; fast_pattern; nocase; http_uri; content:"mac="; nocase; http_uri; content:"myadid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"uplink.co.kr"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*uplink\x2Eco\x2Ekr/smiH"; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2007-031317-1701-99&tabid=1; classtype:successful-recon-limited; sid:11312; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Keylogger pcsentinelsoftware Keylogger runtime detection - upload infor"; flow:to_server,established; content:"/upload.php"; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.pcsentinelsoftware.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Epcsentinelsoftware\x2Ecom/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.pcsentinelsoftware.com; classtype:successful-recon-limited; sid:11311; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger sskc v2.0 runtime detection"; flow:to_server,established; content:"SSKC"; nocase; content:"v2.0"; distance:0; nocase; content:"Startup"; distance:0; nocase; content:"at"; distance:0; nocase; pcre:"/^SSKC[^\r\n]*v2\x2E0[^\r\n]*Startup[^\r\n]*at/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076545; classtype:successful-recon-limited; sid:11309; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computer monitor Keylogger runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Computer"; distance:0; nocase; content:"Monitor"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Computer[^\r\n]*Monitor[^\r\n]*Keylogger/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097349; classtype:successful-recon-limited; sid:11307; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger pc black box runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"PC"; distance:0; nocase; content:"Black"; distance:0; nocase; content:"Box"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*PC[^\r\n]*Black[^\r\n]*Box/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PC%20Black%20Box&threatid=117239; classtype:successful-recon-limited; sid:10440; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger keyspy runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"mail"; distance:0; nocase; content:"function"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*mail\s+function/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3266; classtype:successful-recon-limited; sid:10436; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware admedia runtime detection"; flow:to_server,established; content:"/hzyt/client/procpost.aspx"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.ccnnlc.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Eccnnlc\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098012; classtype:successful-recon-limited; sid:10435; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger activity Keylogger runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Activity"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Logs"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Activity[^\r\n]*Keylogger[^\r\n]*Logs/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097325; classtype:successful-recon-limited; sid:10183; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger systemsleuth runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"SystemSleuth"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*SystemSleuth/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097306; classtype:successful-recon-limited; sid:10181; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-OTHER Keylogger radar spy 1.0 runtime detection - send html log"; flow:to_client,established; content:"<title>New Page 1</title>"; nocase; content:"Log Started |3A|"; distance:0; fast_pattern; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453079942; classtype:successful-recon-limited; sid:10167; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware baigoo runtime detection"; flow:to_server,established; content:"/sszsex.html"; nocase; http_uri; content:"src="; nocase; http_uri; content:"pid="; nocase; http_uri; content:"ver="; nocase; http_uri; content:"dm="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"client.baigoo.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*client\x2Ebaigoo\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098801; classtype:successful-recon-limited; sid:10166; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger mybr Keylogger runtime detection"; flow:to_server,established; content:"From|3A D0 C5 CF A2|"; fast_pattern:only; content:"Subject|3A|"; nocase; pcre:"/^From\x3a\xd0\xc5\xcf\xa2.*Subject\x3a[^\r\n]*\d+\x2d\d+\x2d\d+\x2d\d+\x3a\d+\x3a\d+/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.hack77.com/Soft/hkgj/jpjl/200701/2844.html; classtype:successful-recon-limited; sid:10165; rev:8;)
# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - open website"; flow:to_client,established; flowbits:isset,Win32.RemoteKeylog.b.website; content:"WNDMicrosoft"; depth:12; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959; classtype:successful-recon-limited; sid:10100; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection"; flow:to_server,established; content:"url"; depth:3; nocase; flowbits:set,Win32.RemoteKeylog.b.website; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:10099; rev:5;)
# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - get system info"; flow:to_client,established; flowbits:isset,Win32.RemoteKeylog.b.info; content:"Product"; depth:7; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959; classtype:successful-recon-limited; sid:10098; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 456 (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection"; flow:to_server,established; content:"info"; depth:4; nocase; flowbits:set,Win32.RemoteKeylog.b.info; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:10097; rev:5;)
# alert tcp $HOME_NET 456 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win32.remotekeylog.b runtime detection - keylog"; flow:to_client,established; content:"KEY"; depth:3; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075959; classtype:successful-recon-limited; sid:10096; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware bydou runtime detection"; flow:to_server,established; content:"/pra.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.bydou.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*www\x2Ebydou\x2Ecom/smiH"; metadata:service http; reference:url,bbs.360safe.com/viewthread.php?tid=58707; classtype:successful-recon-limited; sid:10095; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware russian searchbar runtime detection"; flow:to_server,established; content:"referer="; nocase; http_uri; content:"show="; nocase; http_uri; content:"Host|3A| bar-navig.yandex.ru"; fast_pattern:only; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079056; classtype:successful-recon-limited; sid:10092; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by ftp"; flow:to_server,established; content:"Open Beyond Keylogger"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453097340; classtype:successful-recon-limited; sid:10089; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger beyond Keylogger runtime detection - log sent by smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Beyond"; distance:0; nocase; content:"Keylogger"; distance:0; nocase; content:"Report"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Beyond\s+Keylogger\s+Report\x2E\s+Id\x3d\x5b.*\x5d/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097340; classtype:successful-recon-limited; sid:10088; rev:9;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkCCOqHqPmgGbzTU9IAAA1jAAAArAAAJgAACWwe"; metadata:service smtp; classtype:trojan-activity; sid:10083; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA76VO"; metadata:service smtp; classtype:trojan-activity; sid:10082; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i4wMwBVUFghDQkCCHAOKRNyQeuyBeMAAHBsAAAAwgAAJgAA7/2n"; metadata:service smtp; classtype:trojan-activity; sid:10081; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkICEywTzzbc2+gVYUVAIGpAAAA2AAAJgAARC1i"; metadata:service smtp; classtype:trojan-activity; sid:10080; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkICEywTzzbc2+gVYUVAIGpAAAA2AAAJgAARIj9"; metadata:service smtp; classtype:trojan-activity; sid:10079; rev:8;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER W32.Nuwar.AY smtp propagation detection"; flow:to_server,established; content:"i45MQBVUFghDQkICKDx6PZ9cWtlZzUVAMY0AAAAZAAAJgAAqwTm"; metadata:service smtp; classtype:trojan-activity; sid:10078; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger supreme spy runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Supreme"; distance:0; nocase; content:"Spy"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*Supreme\s+Spy/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097729; classtype:successful-recon-limited; sid:9830; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware relevantknowledge runtime detection"; flow:to_server,established; content:"/oss/"; nocase; http_uri; content:"X-OSSProxy|3A|"; nocase; http_header; content:"OSSProxy"; nocase; http_header; pcre:"/^X-OSSproxy\x3a[^\r\n]*OSSProxy/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097949; classtype:successful-recon-limited; sid:9829; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-OTHER Keylogger paq keylog runtime detection - ftp"; flow:to_client,established; content:"version"; nocase; content:"key"; distance:0; nocase; pcre:"/^version\s+\d+\x2E\d+\s+key\x3a/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098520; classtype:successful-recon-limited; sid:9828; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger paq keylog runtime detection - smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:".l|0D 0A|"; within:200; fast_pattern; nocase; pcre:"/^Subject\x3a[^\r\n]*20\d{3,4}\x5f[123]?\d\x2El/mi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098520; classtype:successful-recon-limited; sid:9827; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ghost Keylogger runtime detection"; flow:to_server,established; flowbits:isset,ghost_keylogger_start; content:"[Static"; nocase; content:"Text]"; distance:0; nocase; pcre:"/^\s*\x5BStatic\s+Text\x5D/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=70892; classtype:successful-recon-limited; sid:9650; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ghost Keylogger runtime detection - flowbit set"; flow:to_server,established; content:"|23|"; nocase; content:"Ghost"; distance:0; nocase; content:"keylogger"; distance:0; nocase; content:"has"; distance:0; nocase; content:"started"; distance:0; nocase; pcre:"/^\x23\s+Ghost\s+Keylogger\s+has\s+started\x2E/smi"; flowbits:set,ghost_keylogger_start; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=70892; classtype:successful-recon-limited; sid:9649; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger emailspypro runtime detection"; flow:to_server,established; content:"X-FILTERED-BY-GHOST|3A|"; fast_pattern:only; content:"1"; pcre:"/^X-FILTERED-BY-GHOST\x3a[^\r\n]*1/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083347; classtype:successful-recon-limited; sid:9648; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger system surveillance pro runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"System"; distance:0; nocase; content:"Surveillance"; distance:0; nocase; content:"Log"; distance:0; nocase; content:"Open"; nocase; content:"log"; distance:0; nocase; content:"file"; distance:0; nocase; content:"import"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*System\s+Surveillance\s+Log/smi"; pcre:"/^Open\s+log\s+file\s+to\s+import/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098658; classtype:successful-recon-limited; sid:9647; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.ap attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"Received message is available at"; metadata:service smtp; classtype:trojan-activity; sid:9426; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; content:"OsrkDtNPNg9Xj38hSOB7pKSR+RzaaUnt5GIvg8wXTYQPiLhBPWmLUXYLSN2KDpF0AWHCd8Po"; metadata:service smtp; classtype:trojan-activity; sid:9425; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"MALWARE-OTHER /winnt/explorer.exe unicode klez infection"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,&,2,28,little,relative; content:"|5C 00|w|00|i|00|n|00|n|00|t|00 5C 00|e|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00|.|00|e|00|x|00|e|00 00 00|"; within:41; distance:51; nocase; classtype:trojan-activity; sid:9424; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"MALWARE-OTHER lovegate attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|F|00|X|00|F|00|X|00|"; content:"|9F|u|18 00|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:trojan-activity; sid:9423; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"MALWARE-OTHER msblast attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|N|00|B|00|F|00|X|00|F|00|X|00|F|00|X|00|F|00|X|00|"; content:"|9D 13 00 01|"; within:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; classtype:trojan-activity; sid:9422; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER zotob attempt"; flow:to_server,established; dce_iface:8d9f4e40-a03d-11ce-8f69-08003e30051b; dce_opnum:54; dce_stub_data; content:"|C0 07 00 00 00 00 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:bugtraq,14513; reference:cve,2005-1983; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-039; classtype:trojan-activity; sid:9421; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER korgo attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; content:"|AD 0D 00 00|"; depth:4; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:trojan-activity; sid:9420; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER sasser attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; content:"|EC 03 00 00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:trojan-activity; sid:9419; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.a smtp propagation detection"; flow:to_server,established; content:"aWNyb3NvZnQAQGF2cC4AACVzP3A9JWx1JmlkPSVzAGh0dHA6Ly93d3cuZWxyYXNzaG9wLmRl|0D 0A|LzEucGhwAGh0dHA6Ly93d3cuaXQtbXNjLmRlLzEucGhwAGh0dHA6Ly93d3cuZ2V0eW91cmZy"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32baglea.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-011815-3332-99&tabid=2; classtype:trojan-activity; sid:9417; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.at smtp propagation detection"; flow:to_server,established; content:"CFzisjUEyJsg4LLn9YPllwezsmCH/FoLDp8ttt5rlq2cy18Y2O3lemS1iy+B35D9veT2X3ys|0D 0A|6mupMisPtw82NJQBvU4U30nV3kdI4KNtHjiz9AUOmU+oQYcw9M3v9pJHb2MNmFxxkYvyqDWc"; metadata:service smtp; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.AT; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41539; classtype:trojan-activity; sid:9416; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER plexus.a smtp propagation detection"; flow:to_server,established; content:"YGVjaG9yIHdwdW4zJXMGZNs+6WEKUxRsRxYMIXDnZ2d04XN1cMku+XjqlhcKcXVpdA9HZoxeLSBzOowm80FoWlbIUi0/SXKAZnZiYTogMQYuMA"; metadata:service smtp; reference:url,vil.nai.com/vil/content/v_126116.htm; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39272; classtype:trojan-activity; sid:9415; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lovelorn.a smtp propagation detection"; flow:to_server,established; content:"dGpuby9meWYAT1VUTE9PSy5FWEVOZXRDYXB0b3IuZXhlbWlyYzMyLmV4ZWFpbS5leGVZcGFnZXIu|0D 0A|ZXhlAHV2anNidWRpYm9kdnBkZXBqb2J6QXpiaXBwL2RwbgBOUUhfTE9WRQBsb3ZlX2xvcm5AeWFo|0D 0A|b28uY29tAE5RSF9MT1ZFTE9STgB0aHV5cXV5ZW5AeWFob28uY29tAE5RSABsb3ZlbG9ybkB5YWhv"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35041; classtype:trojan-activity; sid:9414; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER ganda smtp propagation detection"; flow:to_server,established; content:"cXJ1dmFiemFickBob3RtYWlsLmNvbT4NCgA8cmVkQGZuYS5zZT4N|0D 0A|CgA8ZGViYXR0QHN2dC5zZT4NCgA8c3VzYW5uZS5zam9zdGVkdEB0aWRuaW5nZW4udG8+DQoAPHNr|0D 0A|b2x2ZXJrZXRAc2tvbHZlcmtldC5zZT4NCgA8bWFyeS5tYXJ0ZW5zc29uQGFmdG9uYmxhZGV0LnNl"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32gandaa.html; classtype:trojan-activity; sid:9413; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"MALWARE-OTHER sinmsn.b msn propagation detection"; flow:to_server,established; content:"Application-File|3A| smb.exe"; nocase; content:"Application-FileSize|3A| 163840"; nocase; reference:url,www.f-secure.com/v-descs/smibag.shtml; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=23776; classtype:trojan-activity; sid:9412; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.f smtp propagation detection"; flow:to_server,established; content:"on0MCbCSCWxk8BZK8Pbft5+D4wPB489V8IHiOMH6BAnTW7+wrVyDUyk0xgQ+PTmyb2URwUKK|0A|"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-110414-0652-99&tabid=2; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FMIMAIL%2EF&VSect=T; classtype:trojan-activity; sid:9411; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.z smtp propagation detection"; flow:to_server,established; content:"CpDwPVgF2ygS8h34dA18deYVsUYkiCjCrsbvJAcQwjPoYwKqVdMfCFQH/RrpYmxALn3s4A8S|0D 0A|hAMBMRpXBAZoVgfiM0gukIQZD8YQg+h6M3huCoaqDMuXcF0x"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-042110-2302-99&tabid=2; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=38949; classtype:trojan-activity; sid:9410; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER atak.b smtp propagation detection"; flow:to_server,established; content:"OsJMFEHYgBh19HlTYBliOtoPlfhIFVsjwTiRgBgMU+ZVSARWhclXidGWdED5LdJLArJcQ1DSfENl|0D 0A|cmgc0ooDhxdHUODyQ//V6tBJVtc2IBPS7SAmCAw7wXUWiRzJMEgI5UA/pM45Gl1qDJkPuJI/4V6j"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32atakb.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-120309-3312-99&tabid=2; classtype:trojan-activity; sid:9409; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lacrow smtp propagation detection"; flow:to_server,established; content:"ZT0iTVMtNTYwOTVNX1BBVENILmV4ZSINCgAAAP////8XAAAAQ29udGVudC1JRDogPFNPTUVDSUQ+DQoA/////w4AAAAtLS0tQUJDREVGLS0NCgAA/////wUAAAANCi4NCgAAAP////8GAAAAUVVJVA0KAABDOlxNUy01NjA5NU1fUEFUQ0guZXhlAAD/////EwAAAEM6XExpc3Rl"; metadata:service smtp; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=W32.Lacrow@mm&threatid=53187; classtype:trojan-activity; sid:9408; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"MALWARE-OTHER lovgate.b netshare propagation detection"; flow:to_server,established; content:"|F7|F|DA C4|D|22|A|AB E6 0D AA 10 17 A5 9F|=|90 B6|D7|AD F6 EE|UN|E5 17|rx|B7|v|E1 94 C7 8C|Q9y|A1 D9 C9|wL|E2 94|Q|7C 0F|6QA6|02|Y|D4 D2 B0 C9|k|C5|r|B9|m|81 DE|'|08 D8 DB 1B A4 99 AC EB 08 BD A7 24|G|8C BC 07 0D E5 06 7F|3|80 0A|T3|90|B|7F 0F|V|95|m|0D 16|g|0A|Y|CB CF 18 FF CB CA|Z|01|_|DE|Z52|0C|Y|CE|Y|1F|&|8C|W|B0 14|u|5C 88 B1 B0 EB C3|<|84 B4|h|D4|>|B8 1E 0F A6|~"; reference:url,www.sophos.com/virusinfo/analyses/w32lovgateb.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-021922-4852-99&tabid=2; classtype:trojan-activity; sid:9407; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lovgate.e smtp propagation detection"; flow:to_server,established; content:"OziaMMstyp3ZvEfNLZDdGUotsJcU9AUzGyIbVCkkslc8AX44pHVQ7cFVd7zMsneJSAaBvoS3iUeo|0D 0A|hlEQ24NXuyvw8X2q88Vmjnqxjk0ouK8Fqb71DLdEZ2FbTDGrGuRodeFwiNi+pKq863l"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32lovgatee.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-030416-4942-99&tabid=2; classtype:trojan-activity; sid:9406; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.ac smtp propagation detection"; flow:to_server,established; content:"cG51RlelhMtbU7QpjWKxOTvQLS+4wB20IzjrIlOWMc5XP3AcIgGMOETE8DI5fRIUfhDaJzhT|0D 0A|RPRpWWAQFKHEl02LHRYUHOqsbkd8SKZGHURgndMOfSCyIMVz/7cu1hIk3EZ8IEmLghDkO9/D"; metadata:service smtp; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=46889; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39026; classtype:trojan-activity; sid:9404; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.aa smtp propagation detection"; flow:to_server,established; content:"NNQX1qMoBi2hCzN5hBb/0LqoYbyhKHgQBVpTEUeLLRgDTO6MTZFsBeto+Gr/qFzvz1uPXM5c|0D 0A|j1s8XFzuo1yuz1ysXPhc81zPXDxcXPNcz1w6XOs7XDxcXPNcz1yuzl7jXu4+XTpePF1d8136"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32netskyaa.html; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNETSKY%2EAA&VSect=T; classtype:trojan-activity; sid:9403; rev:11;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-OTHER welchia tftp propagation detection"; flow:to_server; content:"C|BB 0E|Gy3a38DM4|EC|5e|C2 0A 86 0B|Yde|02 EE|s|EB 18 0A B9|S9Cb|05|Zk|ED|F|29|cf|0D|dl|08|5u@|EB E7|8sm-95|23 AC|p+%|1D|3f|F1|s|FF 03|-|09 CD 00|q -i %s <|02 03 F2|get  nSVC|80 C0 CA 96|/|29 D6|b|80 C0| |9E CF 24 BE|-|EB D6|w&k |A9|8Shar|F0 D6 80 DD|+g|00|l|00 EC|DTCo|24 D0|L|07|B|FA 13|j|EF|"; reference:url,www.pchell.com/virus/welchia.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-081815-2308-99&tabid=2; classtype:trojan-activity; sid:9402; rev:10;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER gokar http propagation detection"; flow:to_client,established; file_data; content:"|0B|Bp|D6|p|00 C2 91 C5 83 DE 3B 08 C9| Ll|F8|l|18 F0 80|K!|89|.*|B0 AC 0C C8 08 88 93 E4|d1%7|DF BA 84 3A 3B|,|02 0C E7|,,8|80 D1 24 B1|j|10 D4 E0 E8|>B|C1 29 D3|I|F7 D8 1B C0 05 96 A4 D6 03 01 AE 7C 91 0F 9D A5 BA 95|F|8D 02|'n|99 8F E0 15 98 A0|j|FF FD BE|G|BE B3 EC A3 E1 17 C4|h|DC 3A|f|B8 02 F9 0E 81 CE E2 1B E4 10 13 C8 E7 E3 0C 3B E4 0C C6 01|`6h|D3|h|C0 98 99 87 8C 3B|V|D3|"; fast_pattern:only; metadata:service http; reference:url,www.f-secure.com/v-descs/gokar.shtml; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=10606; classtype:trojan-activity; sid:9401; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER abotus smtp propagation detection"; flow:to_server,established; content:"cPf//1ChHGtAAFDokPv//6Eca0AAUOh1+///i0UIuhhnQAC5AAQAAOhn9v//M8BaWVlkiRBonzpA|0D 0A|AI1F+LoCAAAA6E31///D6b/v///r61tZWV3CBACLwFWL7DPAVWjHOkAAZP8wZIkgM8BaWVlkiRBo"; metadata:service smtp; reference:url,www.isecuritysource.com/threats/worm/w32-abotus-worm-m.aspx; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2001-082919-3906-99&tabid=2; classtype:trojan-activity; sid:9400; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER hanged smtp propagation detection"; flow:to_server,established; content:"AExhWABYYUwAWGFMAE5ld19GYW1vdVNfR2lyTHMAQS5TLk4uAFNNVFA6VGhlX0hhbmdlZEBqYXp6|0D 0A|ZnJlZS5jb20AU01UUDpUaGVfSGFuZ2VkQGhvdG1haWwuY29tAFNleF9TcGFtXyxfRXhjdXNFX01l"; metadata:service smtp; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Email-Worm.Win32.Hanged&threatid=81170; reference:url,www.emsisoft.com/en/malware/?Worm.Win32.Hanged; classtype:trojan-activity; sid:9399; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER totilix.a smtp propagation detection"; flow:to_server,established; content:"YjpDKytIT09LkOkckUAAoQ+RQADB4AKjE5FAAFJqAOglfQAAi9DoMhgAAFroyAsAAOgrGAAAagDo|0D 0A|PCQAAFlouJBAAGoA6P98AACjF5FAAGoA6ddeAADpaiQAADPAoAGRQADDoReRQADDYLsAULC8U2it"; metadata:service smtp; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Worm.Totilix.a&threatid=6703; reference:url,www.viruslist.com/en/viruslist.html?id=4097; classtype:trojan-activity; sid:9398; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER neysid smtp propagation detection"; flow:to_server,established; content:"1eO8sLlq7UIor1GwCmto7XsiMt9GchrcNlbVPh1GT18n0EDLTWKdYxpB5nZPeoxCHDzQuKOyEtsb|0D 0A|MCqnv2Y1wJoGWMGEslVIzj05hLSGDTLIbGy0uaslY66ENTqEiiXk5HxsL8KRnL2EpjwzDZScLR3G"; metadata:service smtp; reference:url,www.logiguard.com/spyware/i/i-worm-neysid.htm; reference:url,www.spywareremove.com/removeIWormNeysid.html; classtype:trojan-activity; sid:9397; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.t netshare propagation detection"; flow:to_server,established; content:"C|80 EA 01 A1 EC|GB|00 8B|H|10 88|QC|8B 15 EC|GB|00 8B|B|10 0F BE|HC|85 C9|u|14 8B 15 EC|GB|00 8B|B|04 24 FE 8B 0D EC|GB|00 89|A|04 8B 15 EC|GB|00 83|z|08 FF 0F 85 92 00 00 00|h|00 80 00 00|j|00 A1 EC|GB|00 8B|H|0C|Q|FF 15 1C|cB|00 8B 15 EC|GB|00 8B|B|10|Pj|00 8B 0D E4|]B|00|Q|FF 15|4cB|00 8B 15 F0|GB|00|k|D2 14 A1 F4|GB|00 03 C2 8B 0D EC|GB|00 83 C1 14|+|C1|P|8B 15 EC|GB|00 83 C2 14|R|A1 EC|GB|00|P|E8|Z%|00 00 83 C4 0C 8B 0D F0|GB|00 83 E9 01 89 0D F0|GB|00 8B|U|08 3B 15 EC|GB|00|v"; reference:url,www.softwaretipsandtricks.com/virus/64865-DebormT.html; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=24669; classtype:trojan-activity; sid:9396; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.j netshare propagation detection"; flow:to_server,established; content:"@|00|@|3B C7|v|F5|AA|80|9|00|u|D4 FF|E|FC 83 C3 08 83|}|FC 04|r|C1 8B|E|08 C7 05 5C|}@|00 01 00 00 00|P|A3|L}@|00 E8 C6 00 00 00 8D B6 EC|x@|00 BF|P}@|00 A5 A5|Y|A3|d|7F|@|00 A5 EB|UAA|80|y|FF 00 0F 85|H|FF FF FF|j|01|X|80 88|a~@|00 08|@=|FF 00 00 00|r|F1|V|E8 8C 00 00 00|Y|A3|d|7F|@|00 C7 05 5C|}@|00 01 00 00 00 EB 06 89 1D 5C|}@|00|3|C0 BF|P}@|00 AB AB AB EB 0D|"; reference:url,www.viruslist.com/ru/viruses/encyclopedia?virusid=24659; reference:url,www3.cai.com/securityadvisor/virusinfo/virus.aspx?ID=30328; classtype:trojan-activity; sid:9395; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.n smtp propagation detection"; flow:to_server,established; content:"UwFU9VVzpIrXAls0zlhDNOHldmMULkXDsJRNQZiPekC47DW5vF9mS3gKhBe2I0JSPouRMRBl|0D 0A|w8AJvAcDlRprEHbYgf+GOmWVzZa5XNbrM7AlDCyZfmBiCbABUFgAlCxXE2JRonBJRXLSoLAA"; metadata:service smtp; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45593; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE%5FBAGLE%2EN&VSect=T; classtype:trojan-activity; sid:9394; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.k smtp propagation detection"; flow:to_server,established; content:"RcJ0RFKbuZlqeaaoQ76D0Tf6ESD+RgjrN6QDtvvsvNXbR6BlXZviaG3d1NJtmU++UEmRCixX|0D 0A|RCaDz8IzdWIidAq1dzJwwTvIJglu/0IQwX8WrLD6EheQRlQhil5PQbv9oC3Y0HgAfIERnIb5"; metadata:service smtp; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45304; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EK&VSect=T; classtype:trojan-activity; sid:9393; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.j smtp propagation detection"; flow:to_server,established; content:"AFM8bJHtPFvDEkEXcUExflY49kR1cEEIUkM9CVRyaW0/TddNAkkvfRRVUkxRaCWgRLFeZa2d|0D 0A|ppsmHIgcP6Qp8ve2TB1lRQtVcHAiPE23aXCUdGYrkyxJZUtwfXxuCusU7RVxrDNuboGBhT0s"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-030214-1700-99&tabid=2; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FBAGLE%2EJ&VSect=T; classtype:trojan-activity; sid:9392; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.i smtp propagation detection"; flow:to_server,established; content:"A8Hjz"; content:"A8Hjz1XwgeLbymX/OMH6BAnTW4NTKTT7VvYLxgQ+PRHBjYpIBpIj7OxkWZbl8A8C7MD+SqZkBhTr|0A|VP9NDD+w5chL7D866BN1I2Vn7giaB2cqOQ1LZIaFNwpjlXTaJQ+TCqW4q6H"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32mimaili.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-111317-1701-99&tabid=2; classtype:trojan-activity; sid:9391; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.d netshare propagation detection"; flow:to_server,established; content:"E|F4 00 00 00 00 8B 8D E8 FB FF FF 89|M|F0 EB 09 FF 15|dsB|00 89|E|F4 83|}|F0 00|uy|83|}|F4 00|t,|83|}|F4 05|u|15 C7 05|DVB|00 09 00 00 00 8B|U|F4 89 15|HVB|00 EB 0C 8B|E|F4|P|E8|*I|00 00 83 C4 04 83 C8 FF EB|P|8B|M|08 C1 F9 05 8B|U|08 83 E2 1F 8B 04 8D|@nB|00 0F BE|L|D0 04 83 E1|@|85 C9|t|0F 8B|U|0C 0F BE 02 83 F8 1A|u|04|3|C0 EB 22 C7 05|DVB|00 1C 00 00 00 C7 05|HVB|00 00 00 00 00 83 C8 FF EB 09 8B|E|F0|+|85 E0 FB|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=24653; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=30322; classtype:trojan-activity; sid:9390; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.i smtp propagation detection"; flow:to_server,established; content:"H3Vi96OpogVHcLpTQXO9Nsx0cnR1FCErIXOpKbYFbDzudjBsaQIXui4IaYZfDmRymAFceHlQ|0D 0A|RUwBBGJkRWT5f0ie4AAPAQsBBQwAMlZy9r13ED8EMA1ACwIn3SzYBDMHDMA9b2BnsYMeNBAH"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/bagle_i.shtml; reference:url,www.sarc.com/avcenter/venc/data/w32.beagle.i@mm.html; classtype:trojan-activity; sid:9389; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.g smtp propagation detection"; flow:to_server,established; content:"VdBjl"; content:"VdBjlpmHLVfqaPUitmytmlPwIiJiViqPhDwHsP8fO2CDfCpkZVVqQCfFgXUtB+gfgDUcrZZOjpqX|0A|l20NIkQDEwEOAOwgy2VA5OSAJBx7JeRs391cnLJAlivkZdzcmZBvNipSWthsl41k2B3UrdTsguvQ"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-110414-0646-99; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=37467; classtype:trojan-activity; sid:9388; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.j web propagation detection"; flow:to_server,established; content:"1|03|3-|3B|+|B5 23|!|03 E9 0B 03 23 23|5i9|23|1|3B 19 B5|/73|B5|9?|E9 1B|+|1B|+i|07|%/|B5|/73|B5 01 07 E9|+|01|7|1D|i|8D 9B 8B 8B B5|5|23 01 E9|+5|01 3B|i9|23|1|3B 19 B5|/73|B5|9?|E9|'|0D|+|09|9i9|23|1|3B 19 B5|/73|B5|9?|E9 0F 01 0D 23 23 01|i|05 23 0D 3B 1D|75|B5|5|23 01 E9 0F|+5|3B|i|8D 9B 8B 8B B5|5|23 01 E9|=+?|1B|i|01 23 0D 0D|+|B5 23 0F E9|"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=376; classtype:trojan-activity; sid:9387; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.f smtp propagation detection"; flow:to_server,established; content:"LkRMTAAAAEdldFByb2NBZGRyZXNzAAAATG9hZExpYnJhcnlBAAAARXhpdFByb2Nlc3MAAABW|0D 0A|aXJ0dWFsQWxsb2MAAABWaXJ0dWFsRnJlZQAAAE1lc3NhZ2VCb3hBAAAAAABqe5M2t6ajjak1"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/bagle_f.shtml; reference:url,www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=45199; classtype:trojan-activity; sid:9386; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER collo.a smtp propagation detection"; flow:to_server,established; content:"UP8VWBIAAYPEDI1FoFBoAgEAAP91cP8VVBIAAf91cP8VUBIAAenf/v//aHQTAAFqCv81XIAAAf91|0D 0A|eOsTi0V8aHQTAAFqDP81XIAAAf9wDP8VCBIAATPAX15bg8VoycIQAFeLfCQMM8CD/wF2U1aLdCQM"; metadata:service smtp; reference:url,www.emsisoft.com/en/malware/?Worm.Win32.Collo.a; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=23787; classtype:trojan-activity; sid:9385; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER beglur.a smtp propagation detection"; flow:to_server,established; content:"bszmmP1TlDRGFDA1uDG1GyF3fw7zQae3hTJk7dtK0xmjv339SvtDPLhswsFAGUQX34naqqcKxEjp|0A|yns2FwCn9oiRtoiyYFfwAsT6v/2SvioeIkj2WAb6lQoNyzLUhbQtpekiV9ZUpOW2u4Lv73FPrkud"; metadata:service smtp; reference:url,www.hacksoft.com.pe/virus/w32_beglur_a.htm; reference:url,www.viruslibrary.com/virusinfo/I-Worm.Beglur.a.htm; classtype:trojan-activity; sid:9384; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.y smtp propagation detection"; flow:to_server,established; content:"SzXgMkNWL9sVG+tK+PAvoGAHIBs6uGCk+LimunCOdVZetTLfshMihnVwSZSOMgbeJ1nQ2VuH|0D 0A|OE0A6SCpjgS431+O+Uwr0hbFwC0Tt9gjk5n006G2DLQ93fwnPbO2fmzcaPYFYNhTijcHgc6u"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32netskyy.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-042011-2621-99&tabid=2; classtype:trojan-activity; sid:9383; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER fearso.c smtp propagation detection"; flow:to_server,established; content:"W4niV2CNlkzNbJ91T1IgkFpIUag2/cL3Sy5za4C8BhwOwEDr72oCP3sBuUkp0D0NoEh1djz3tvfr|0D 0A|PY2GLMgIGNbPfqP9LTUUqLLXdKC4DoH+8FHNt922QnUL9OtN9dKAdLrOtrM5zrElF1Bw9RA101DY"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32noferc.html; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=35646; classtype:trojan-activity; sid:9382; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lara smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Lara Wallpaper Download Software"; distance:0; nocase; content:"I found on the net a new interesting software about Lara Croft"; nocase; metadata:service smtp; reference:url,www.sophos.com/security/analyses/mirclara.html; classtype:trojan-activity; sid:9381; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"MALWARE-OTHER jitux msn messenger propagation detection"; flow:to_server,established; content:"http|3A|//www.home.no/"; nocase; content:"/jituxramon.exe"; distance:0; nocase; reference:url,vil.nai.com/vil/content/v_100931.htm; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-123116-3525-99&tabid=2; classtype:trojan-activity; sid:9380; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.s smtp propagation detection"; flow:to_server,established; content:"xAJ2g9vb5s6MgEwifAAA99d2k9vrFPl057JOQIiRxvTw54r4l64U/qrFiXxGSJOoS9u77/mo|0D 0A|T/01iESEpu/wemHvlfNyYs+hogBpkojHr6r1w6r5OLdqdovbvwQmcoqsu7aPznGT+6qsCYET"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/netsky_s.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-040512-2436-99&tabid=2; classtype:trojan-activity; sid:9379; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.q smtp propagation detection"; flow:to_server,established; content:"Zacc/sWcQrpGNGbPzJedST7hJMXZJVKNy7LLBP2V90UwX7IHSyhFxPPTlRpdlJtxYLAU3s+E|0D 0A|ekcFyTLIwRYHVjWm16JZXIxAhQROCT/c+L5SU8juIBBaGTg21xUr52qxnAfzmZdzLksQUE+0"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32netskyq.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-032913-5722-99&tabid=2; classtype:trojan-activity; sid:9378; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.g smtp propagation detection"; flow:to_server,established; content:"B0QnUGCDNE08WiwoB4MNMsggGBAnBHf27GA//CMX7CNH5A/y7CBNQdTAI5e4I0jTDHaoB5xkkCCD|0D 0A|DTaIF4QvfIMNMth0H2xkB1wMMsggVExEMthgg0B/MEco0jSDDRwPFFoIybODDQAH/CIv9CLBXjPY"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mydoom_g.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-030213-0918-99&tabid=2; classtype:trojan-activity; sid:9377; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER fishlet.a smtp propagation detection"; flow:to_server,established; content:"AAACAAAAQAAAAAQAAAANAAoAAAAAABgAAABcAGYAaQBzAGgAbABlAHQALgBiAGkAbgAAAAAAVgAA|0D 0A|AFMAbwBmAHQAdwBhAHIAZQBcAE0AaQBjAHIAbwBzAG8AZgB0AFwASQBuAHQAZQByAG4AZQB0ACAA"; metadata:service smtp; reference:url,www.sophos.com/security/analyses/w32fishleta.html; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=12285; classtype:trojan-activity; sid:9376; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER duksten.c smtp propagation detection"; flow:to_server,established; content:"+QAEAE1FhFEAAaABBIAD/VCMgIADcAAAABJnSlP+aThqAAKRKqKioqDQAAABA|0D 0A|Q/hAAQDQfAIgACn/KoVAQACjzQ0IAE0AocDVAACa//81cw0IAP9RJUBAADNaKVL/qebQEAAaEtAQAP+opCAgAIUMdAYaEtAQAP+oxCAgADSQGoAA/xXkICAAQJ5EiAgA"; metadata:service smtp; reference:url,www.hftonline.com/forum/archive/index.php/t-11044.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-122016-4223-99&tabid=2; classtype:trojan-activity; sid:9375; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER creepy.b smtp propagation detection"; flow:to_server,established; content:"i8iFyXUFM8BeW8OhUIREAIkBiQ1QhEQAM9KLwgPAjUTBBIseiRiJ|0D 0A|BkKD+mR17IsGixCJFl5bw5CJAIlABMOLwFNWi/KL2Oid////hcB1BTPAXlvDixaJUAiLVgSJUAyL"; metadata:service smtp; reference:url,vil.nai.com/vil/content/v_112739.htm; reference:url,www.emsisoft.com/en/malware/?Email-Worm.Win32.Creepy.b; classtype:trojan-activity; sid:9374; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER clepa smtp propagation detection"; flow:to_server,established; content:"S|23|L1GP]U%A!BA-RBY5.|0A|ME>|24|20PNL^|3A|79|24|U|3A|1'G`.+BZ6VD,4|5C|Q,T?!TID7%|3A|+T-SH5|23|K.7|24|^|22|G|5C|]NQ|22|=|0A|M'BUUUU@|5C|MBZ_D[^]<&L6R0/2B|3A|@8|23|!T`"; metadata:service smtp; reference:url,vil.nai.com/vil/content/v_120502.htm; reference:url,www.logiguard.com/spyware/i/i-worm-clepa.htm; classtype:trojan-activity; sid:9373; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER blebla.a smtp propagation detection"; flow:to_server,established; content:"JfzwQACLwP8lnPFAAIvA/yWY8UAAi8D/JZTxQACLwP8lkPFAAIvA/yWM8UAAi8D/JYjxQACLwFOD|0D 0A|xLy7CgAAAFToYf////ZEJCwBdAUPt1wkMIvDg8REW8OLwP8l+PBAAIvA/yX08EAAi8D/JfDwQACL"; metadata:service smtp; reference:url,vil.nai.com/vil/content/v_98894.htm; reference:url,www.sophos.com/security/analyses/w32bleblaa.html; classtype:trojan-activity; sid:9372; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.e smtp propagation detection"; flow:to_server,established; content:"ndAzKAZ0SFmzPdMu6kksSBpMnHn8vHAZLueGBstFWTfqLp3bQgJcaVOxM0W4oc81kinf/QiC|0D 0A|+bYxBaedDbd49u4ktkyUTrFK2ic8FKQI9pXU8vrTcz6RnwRxwAqTRZrKIhN6nL2ivbJIRTmf"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32baglee.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-022809-3232-99&tabid=2; classtype:trojan-activity; sid:9371; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER bagle.b smtp propagation detection"; flow:to_server,established; content:"22cYrYFsp1tV//KXbPbtRRQ4EnUCswFdIl62BQ6BxjtHcmMEwQ573GF0vGNi9B8wPXivfVoL|0D 0A|N9j04cZWzkL7aT31JBRq3/LZM/lJiQo0hUcu9GPvsGExeAQ1eAxsh/8gV4B9/iB1C7h0dRD3"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/bagle_b.shtml; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-021713-3625-99&tabid=2; classtype:trojan-activity; sid:9370; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER atak.a smtp propagation detection"; flow:to_server,established; content:"OwT4dgXDeVgnYHMODdBsTCbwmeciQpDLT1c3bLF1CDPoOT4eiUYEQgtW6Dyq/V0eWdlNFpXqMULp|0D 0A|QSWsmyBXNyoMu5xxWfoEcA/D8fxQV4hosCndivKbkCHoTCa6MLVnCwngBJFJlBHr7ka36Cpo/Mib"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/atak_a.shtml; reference:url,www.sophos.com/security/analyses/w32ataka.html; classtype:trojan-activity; sid:9369; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER agist.a smtp propagation detection"; flow:to_server,established; content:"0ZpkFIcReXCdLfAeEs4k5jglICV+BEij4zH+Xi5QwyfgLb+rO0XnE1xMuyBdVbgW95IPgAVLAnSC|0D 0A|g/5gJes8k0qLVgSAmSvKuNMATWIQ9+HB6gYajUIFsMBdgfogIBxSfyxQ0g6YSxpQiQ8WSQnT55rV"; metadata:service smtp; reference:url,secunia.com/virus_information/10752/agist.a/; reference:url,www.sarc.com/avcenter/venc/data/w32.agist.a@mm.html; classtype:trojan-activity; sid:9368; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER anset.b smtp propagation detection"; flow:to_server,established; content:"i9iF2w+EggAAAItrCIvFA0MMi9CNDDcr0YP6DH8Ei/gr/ovGK8WD+Ax9FI1M|0D 0A|JAGL1itTCAPXi8Xoxfv//+sRjUwkAYvXg+oEjUYE6LL7//+LbCQBhe10NIvV"; metadata:service smtp; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/199/worm_anset.b.html; reference:url,www.bullguard.com/virus/default.aspx?id=51; classtype:trojan-activity; sid:9367; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.s smtp propagation detection"; flow:to_server,established; content:"AAAAAAAAAAx|0A|AMBAi0wkBPdB5gbhjwJ0D69ErgiOVIAQiQK4A8Ejw1NWV78nh1Bq/mgOzkADZP81Yi0OiSUTOj Ug|0A|MFhgcAyDHv7/dNw7//HsGgONNHaLDLNkqzBID3x"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mimail_m.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailm.html; classtype:trojan-activity; sid:9366; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER cult.c smtp propagation detection"; flow:to_server,established; content:"wJ0D69ErgiOVIAQiQK4|0D 0A|A8Ejw1NWV78nh1Bq/mgOzkADZP81Yi0OiSUTOjUgMFhgcAyDHv7/dNw7//Hs|0D 0A|GgONNHaLDLNkqzBID3xOBAF11/9U3/Dr0WQojwU2AIPEDF9eW8NVN4nlu2dq"; metadata:service smtp; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/72/worm_cult.c.html; reference:url,www.sophos.com/security/analyses/w32cultc.html; classtype:trojan-activity; sid:9365; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.e web propagation detection"; flow:to_server,established; content:"|F2 99 00 00 03|+|16|-|A8 90 BA 8A 9A 29|0PH|80|@8` Z|00 08 80|+|A0 80 00 00|X|29|h|00|H`|E8|Z0P@Zhp+|E0| |E0| |29 90 18|0Z0P@Z|88 90|+ |88|P|F8 29 BA E2 A2 A2|ZX|00 88|+ X|88|`|29|h|00|H`|E8|Z0P@Zhp+|10 B8| |A8|h|29|h|00|H`|E8|Z0P@Zhp+|B0 88 B8 00 00 88 29 98 00 B8|`|F8|PXZ"; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9364; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.d web propagation detection"; flow:to_server,established; content:"agzyrywelb@igdupgdu.fgs|00|klgfp@yswma.fgs.fd|00|pyaab@igdupgdu.fgs|00|rywelb@163.fgs|00|bwdbwd@yswma.fgs.fd|00|ca1980@163.fgs|00|lmlm@igdupgdu.fgs|00|"; metadata:service http; reference:url,www.sophos.com/security/analyses/w32klezd.html; classtype:trojan-activity; sid:9363; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.m smtp propagation detection"; flow:to_server,established; content:"f+xt2OHdR5d|0A|oYEgACjEdRRHXvYmP9iDPXUL7TXuZkm+6wfHeTAGsEn3sfxyGYt9/GE5yHe7tcZ/Hhj4ORt835ps|0A|Mx+zk+UMO/RnXp7d+QBQQEz4gFL098fbv+3/G3"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mimail_m.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailm.html; classtype:trojan-activity; sid:9362; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.l smtp propagation detection"; flow:to_server,established; content:"Subject|3A| Re[2]"; nocase; content:"Hi Greg its Wendy."; distance:0; nocase; content:"I was shocked, when I found out that it wasn't you but|0D 0A|your twin brother!!!"; distance:0; nocase; content:"name=|22|wendy.zip|22|"; distance:0; nocase; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mimail_l.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimaill.html; classtype:trojan-activity; sid:9361; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER cult.b smtp propagation detection"; flow:to_server,established; content:"HgAAAAAAAAAAAAAAAAAAQAAA|0D 0A|wDEuMjIAVVBYIQwJAgkUTDlhQxNezL9kAACkGQAAIEAAACYAABn+//L/McBA|0D 0A|i0wkBPdBBAYAdA+LRCQIi1QkEIkCuAO5/3fvEMNTVlc"; metadata:service smtp; reference:url,www.avira.com/en/threats/section/fulldetails/id_vir/72/worm_cult.b.html; reference:url,www.sophos.com/security/analyses/w32cultb.html; classtype:trojan-activity; sid:9360; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER zafi.b smtp propagation detection"; flow:to_server,established; content:"ogoKgD0WhnQSv/XEJq4JCv4wgevPaFDDmyXYndHSgSQEAaqXBpIrHzOgDxW/HTNqUNgsI75gYINA"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/zafi_b.shtml; reference:url,www.sophos.com/security/analyses/w32zafib.html; classtype:trojan-activity; sid:9359; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER fizzer smtp propagation detection"; flow:to_server,established; content:"i8Zew4tMJAQzwDgBdAdAgDwIAHX5w1WL7ItFDFOLXRRWVzP/M/aJRQyFwIldFHUM/3UI6Mz///9Z|0D 0A|iUUMhdt1DP91EOi8////WYlFFItFFDlFDHdqg30YAHQjhcB2Uzt1DHNTi00Qi1UIigwPOgwWdQNG"; metadata:service smtp; reference:url,www.sophos.com/virusinfo/analyses/w32fizzera.html; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-050821-0316-99&tabid=2; classtype:trojan-activity; sid:9358; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.r netshare propagation detection"; flow:to_server,established; content:"=X|A2|/|EF D1 BD C2 EB|0|5C 98|U|1A 08|c|AE|0|F1 06 C4 0B|m|D2 84|W|08|Z/|AD 02 0D|t|12|/|DA D7|>|C6|<|B2 DD 85 18 CF|,1j|8A F0 CF|Z|A4|`|87 D4|NP|89|@|F2 14 23 B8|R9|BF 0C B6 84|f|29 BA 02 0D F0 1D F6 B6|5C|04|n|99 10 BE 1D|j|0A DF 9A|P|BC CE DC C0|R9FlPT|BD CF|f|D4 CF F7|b|99 DD 8A 00 F0 E9 14|~b|9B EF C4 0C 24 96|,|14 89 D7|"; reference:url,www.sophos.com/security/analyses/w32debormr.html; classtype:trojan-activity; sid:9357; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.q netshare propagation detection"; flow:to_server,established; content:"|AB B4|+|F6 04 19 B8 9F CB|t|24|HpR|04 A6 8E|R|17 B1 7F 8A 1E|z|12 8C B8 0C|aVM|81 7C|0|AC|8|BA B5 EE 1A|B|9B|a*xe@|D1|q8|22|T|B7|.`|11 E0|iQ}|C7 CA C1 81 D9|i|B7 A4|C|BE|0|23|2X|9A DF 5C 3B|v|12 CC| |80 AD 7C|cT|19|.|AE|!|8E F8 84|R|F5|1n|D7 1B|8|E8 B0|<U1F|BE B7 16 8B 89 17|Z2|B0 ED|%ED|C4 07 8B B6 CF 92 B2 22|"; reference:url,www.sophos.com/security/analyses/w32debormq.html; classtype:trojan-activity; sid:9356; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.u netshare propagation detection"; flow:to_server,established; content:"|A3|Hp@|00 81|=Hp@|00 F0 00 00 00|~|0A C7 05|Hp@|00 0A 00 00 00|j|0A 8D|M|F0|Q|8B 15|Hp@|00|R|E8 E1|L|00 00 83 C4 0C 8D|E|F0|P|8B|M|08|Q|E8 DB 0D 00 00 83 C4 08|hlp@|00 8B|U|08|R|E8 DA 0D 00 00 83 C4 08|j|0A 8D|E|F0|P|8B 0D 90|{@|00|Q|E8 AB|L|00 00 83 C4 0C 8D|U|F0|R|8B|E|08|P|E8 B5 0D 00 00 83 C4 08|hpp@|00 8B|M|08|Q|E8|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.U; classtype:trojan-activity; sid:9355; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.y netshare propagation detection"; flow:to_server,established; content:"|B7 D6 B6 3B|?X4|00|h|94|[h|8F B3 B3|u@|80|*|0C|F|05 29 B3|=|CE|J|19|8V|EF 1E 10|n|90 9A|1|08 08|^X|A0 3A B6 D7|Kn^d|FE 85|h|9D|%|18|d|B7 E0|n|83 BD|x|0C|Lw|9E|`|FD|%Yr+?4|FC|y|24 07 F6 A3|Y|A4 C4|`|FD B6 06 C9 03|d|FE F3|d|8E 91 C6 DE|O|9C|jP[|90 AF 91|j|BA|{|C6|p|13 C4 8A 80 10 8B|@|0C|w|AB D5|P|FF 96|w|C2 10 04|"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.Y; classtype:trojan-activity; sid:9354; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-OTHER deborm.x netshare propagation detection"; flow:to_server,established; content:"0@|00 0A 00 00 00|SV|8B|5|A8| @|00|W|8D|E|F0|j|0A|P|FF|5|28|0@|00 FF D6 8B|]|08 8D|E|F0|PS|E8 9D 08 00 00 BF|L0@|00|WS|E8 8B 08 00 00 8D|E|F0|j|0A|P|FF|5|D0|2@|00 FF D6 8D|E|F0|PS|E8|s|08 00 00|WS|E8|l|08 00 00 8D|E|F0|j|0A|P|FF|5|D4|2@|00 FF D6 83 C4|D|8D|E|F0|PS|E8|Q|08 00 00|WS|E8|J|08 00 00 8D|E|F0|j|0A|P|FF|5"; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEBORM.X; classtype:trojan-activity; sid:9353; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lovgate.a smtp propagation detection"; flow:to_server,established; content:"+3UubBZU6QPutdRcZrPEvAZmzZcNakN47VPYbNzc7Nrua2tqc5hULfvf2fjX3Ec6W|0D 0A|bgNaUl7vgcZCDx77BhbeP1Jav5WWRj/8Tjd7mGGE798zp8rczW6tVaQvEyw5Ww3WpU0MwG5nq6G5"; metadata:service smtp; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=22549; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=31576; classtype:trojan-activity; sid:9352; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"MALWARE-OTHER lovgate.a netshare propagation detection"; flow:to_server,established; content:"M|D5 15 80 85 D9 1C 92|zE|3B|iy|C7|2|97|8|14|/8q|1B DA|^R|DA 15|- A|80|T|BC|EJ|A3 C1 AD 8F|+ya|D9 1B|e|A3|B5|29 BB EE EE C3 D9 15 B3|U|B7 B4|os|3A AF|?|87|s|05 CE E7|rC/{|80|^r|F6|@yY|05 BC|f|83 F8 90 AF 17|d|15 24 83|i|9B 06 A6|H<|A6|H|15 99 22 DA E6 C0 E5|2E|E5|2A|B5 C2|+|5C 90|Za|F8|[|92|@L |FE|0|90|W|01 FC E5|^|DE BF FF FF E9 F7 CF|<|F9 F3 EF|"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=22549; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=31576; classtype:trojan-activity; sid:9351; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.k smtp propagation detection"; flow:to_server,established; content:"QIi1QkEIkCuAMAAADDU1ZXi0QkEFBq/mgAEEAAZP81AAAAAGSJJQAAAACLRCQgi1gIi3AM|0A|g/7/dCA7dCQkdBqNNHaLDLOLTCQIi0gMg3yzBAB11/9Uswjr0WSPBQAAAACDxAxfXl"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mimail_k.shtml; reference:url,www.sophos.com/virusinfo/analyses/w32mimailk.html; classtype:trojan-activity; sid:9350; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER plemood smtp propagation detection"; flow:to_server,established; content:"+FVQACNg1tXQABQV7hVQed3/9BWV7guaud3/9ALwHQW6IkPAADotxQAAOjqFAAA/7NPVkAAw42DZVVAAFBqAGoAuMTC53f/0I2DWVBAAGoAagBTUGoAagC4N6znd/"; metadata:service smtp; reference:url,www.2-spyware.com/remove-i-worm-plemood.html; classtype:trojan-activity; sid:9349; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER morbex smtp propagation detection"; flow:to_server,established; content:"X3uiXQhvcqrqewRXAmwUkkt+UZVKSCEfAJD16IpxOluoZPgwsCe6T1GNq38tD7G1LQylWfNIZQMc|0D 0A|9sKWsKp24Yz3UxXUVnc++jxshJFqXMM2hAlWyzoRY39o9hbXxNVHGfm7emXOlh8fZP2CLWIe1AHv"; metadata:service smtp; reference:url,www.www.f-secure.com/v-descs/morbex.shtml; classtype:trojan-activity; sid:9348; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg:"MALWARE-OTHER klez.b netshare propagation detection"; flow:to_server,established; content:"lwlw@21fd.fgs|00|lgsr@21fd.fgs|00|Wtzmkyj1978@21fd.fgs|00|wtzmkyj@bdswma.fgs|00|owfp@bdswma.fgs|00|lgs@bdswma.fgs|00|rywelb@bdswma.fgs|00|gebwduff@21fd"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9347; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.b web propagation detection"; flow:to_server,established; content:"lwlw@21fd.fgs|00|lgsr@21fd.fgs|00|Wtzmkyj1978@21fd.fgs|00|wtzmkyj@bdswma.fgs|00|owfp@bdswma.fgs|00|lgs@bdswma.fgs|00|rywelb@bdswma.fgs|00|gebwduff@21fd"; metadata:service http; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-011716-2500-99&tabid=2; classtype:trojan-activity; sid:9346; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER kipis.a smtp propagation detection"; flow:to_server,established; content:"xfs9Znq3mJL1CnQXg0epFP4RHBO0n6naXaPhHWdmQaxirccYvMqyYqxiVpY//VZeM7veQEB19ehg|0A|YFK0if9HLNsz9SBqjj/QOGh01hINh2u4f6VGfrwbNSTdzqkjQnZKcB1Ind/UezfRD6KGUHmZkXfy"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=41312; classtype:trojan-activity; sid:9345; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER kindal smtp propagation detection"; flow:to_server,established; content:"LUiv0xc0fDsKfdy6TB2EYeFCZcNNW9Fcgwxvsi/DSNbYGn8xV1NBSNxudS4jtCC5C7sLb3Ox|0D 0A|0DUKCK6zY6tuhRdoiOEtaER0YnkD4HJsDytowG4HfAwFd6v4YW9h1I54fvsQwTeyUEUGTAEG"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2003-073016-2910-99&tabid=2; classtype:trojan-activity; sid:9344; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER kadra smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Bin Ladenov zivot"; distance:0; nocase; content:"filename="; nocase; content:"Bin Ladenov zivot"; distance:0; nocase; metadata:service smtp; reference:url,www.kaspersky.com/news?id=260&ipcountry=CA#kadra; classtype:trojan-activity; sid:9343; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER paroc.a smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"PROSAC"; distance:0; nocase; content:"DQoJV2Vs|0D 0A|Y29tZSB0byBQUk9TQUMgKG11bHRpbWVkaWEgcGFjaykNCgkt"; metadata:service smtp; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=W32.Paroc.Worm&threatid=53258; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-061121-1025-99&tabid=2; classtype:trojan-activity; sid:9342; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9996 (msg:"MALWARE-OTHER sasser open ftp command shell"; flow:to_server,established; content:"cho off"; depth:7; nocase; content:"cmd.ftp"; distance:0; nocase; content:"_up.exe"; distance:0; nocase; reference:url,www.sophos.com/virusinfo/analyses/w32sassera.html; classtype:trojan-activity; sid:9341; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.i web propagation detection"; flow:to_server,established; content:"E|5C 05|]d|9E|Z<s-d1`/d0j3d3q4k2ank-v.k/`.k.f5kn7.d+r4v>d3cpv|29|cpu/e|E6|"; metadata:service http; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?id=11837; classtype:trojan-activity; sid:9340; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER klez.g web propagation detection"; flow:to_server,established; content:"|0A 08|P|D8|{|18|0|D8 D8 18|Py80|D8|P|18 0A 08|P|D8|{@0@0y8P|18|0|B8 0A|`|00 10 0A|8 {hP|D8|y8P|18|0"; metadata:service http; reference:url,www.sophos.com/virusinfo/analyses/w32klezg.html; classtype:trojan-activity; sid:9339; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.i smtp propagation detection"; flow:to_server,established; content:"LjI2BDAAorXCxzNJTUVPLDRQ04B9WAN1VEJ5QE1mwWlkOx4gVjm42kp3LOx0Ni1UeepAb S3soFBE|0D 0A|2eN0L/d4UADTtkc7IQkKO a/NWrhyPSJSInMFcbG2vdotVqfZNTFPGIKG5hzoQwecasmOtdZACjEX"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mydoom_i.shtml; classtype:trojan-activity; sid:9338; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.x smtp propagation detection"; flow:to_server,established; content:"g8QMhcB1Fv////+DffwCdA5qZP8VYHBAAEaD/gJ81jPAXsnD|0D 0A|i0QkDIHsKN5+97cBKlNVVos1bB1XM+1oABAQVccA7d9s7xYA/9ZQNWiL2DvdD4RWAhL2N7f2|0D 0A|ahFqAgEV"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/netsky_x.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.X; classtype:trojan-activity; sid:9337; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.t smtp propagation detection"; flow:to_server,established; content:"MS4yNAC20aXJDAkCCFGoGZhQ27pRMAYDAAE/AAAAfAAAJgUAOP//|0D 0A|//9Vi+yLRQxWV4t9CDPSM8kz9oA/AHQpU2oBWyvfiV0Iivf/7f8fgPsudQyIDAKLVSDJA9fr|0D 0A|BYhc"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/netsky_t.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.T; classtype:trojan-activity; sid:9336; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.b smtp propagation detection"; flow:to_server,established; content:"0UMVleLfQgz|0D 0A|0jPJM/aAPwB0KVNqAVsr34ldCIr3/+3/H4D7LnUMiAwCi1UgyQPX6wWIXAYBQUZHJ/v/bXd1|0D 0A|4VsYgGQPAI1GAV9eXcOLRCQIU0xv/3+7fCQQTYH6AAgAAH06D7YIhc"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-021812-2454-99; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.B; classtype:trojan-activity; sid:9335; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER lovgate.c smtp propagation detection"; flow:to_server,established; content:"TeRqfPMR5vXWeeZ2NfAaLY1DVPPPFiBi5r34VPgF8sIEpG0shzV4b30euDVoQer6QFQy78snUIPq|0D 0A|EWuSIUAv+OGl1QNYkJXTV5/HzOViMIBfVAY2WQpM6/DVgZ5n8h0ILVu+fjHF1MpcoGgQjIjsDs68"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/lovgate.shtml; classtype:trojan-activity; sid:9334; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.e smtp propagation detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"don't be late!"; distance:0; nocase; content:"gBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAA|0A|AABQRQAATAEDAEKhoz8AAAAAAAAAAOAADwELAQI3ADAAAAAQAAAAIAcA0FIHAAAwBwAA"; pcre:"/^Subject\x3A[^\r\n]*don't\sbe\slate!/smi"; metadata:service smtp; reference:url,www.sarc.com/avcenter/venc/data/w32.mimail.e@mm.html; reference:url,www.sophos.com/virusinfo/analyses/w32mimaile.html; classtype:trojan-activity; sid:9333; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mimail.a smtp propagation detection"; flow:to_server,established; content:"g8QMX15bw1WJ5VNWV1VqAGoAaJIQQAD/dQjoVkYAAF1fXluJ7F3D/FWJ5YPs|0A|CFNWV1WLXQyLRQijMEBHAIkdNEBHAPdABAYAAAB1colF+ItFEIlF/KM0QEcAjUX4iUP8"; metadata:service smtp; reference:url,www.sarc.com/avcenter/venc/data/w32.mimail.a@mm.html; reference:url,www.sophos.com/virusinfo/analyses/w32mimaila.html; classtype:trojan-activity; sid:9332; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.m smtp propagation detection"; flow:to_server,established; content:"lo5vuBR4VSCJ1pbUTU2ox8gc4A7MEBs3U817uUY7ImH0QRZX+0j2rTCxLjEuMiWWIIQOBqYHIChO|0D 0A|szw6IGwkHhEcctMplAHMtW17PTAB6V1wlG2EO/ggyW8ZTQYiUQdbzhMuIwM4aEvQxSUDthPd7S6"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mydoom_m.shtml; classtype:trojan-activity; sid:9331; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER mydoom.e smtp propagation detection"; flow:to_server,established; content:"o/lN3R5KdgmabpkbqcebrJGVMv/b3+ITcXF4dYrKKEjm3bi1PPcb8ZqKgf//hf6sWTRLdExjstH/|0D 0A|x69YBOSAkClWPEs4oEv//3+BfjW9C702c15JmOUe8W2ey1TAvxOujvc6/7/1/0UA4y/RTfLKo95+"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/mydoom_e.shtml; classtype:trojan-activity; sid:9330; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER zhangpo smtp propagation detection"; flow:to_server,established; content:"zhangpo"; fast_pattern:only; pcre:"/^X-Mailer\x3A[^\r\n]*zhangpo/smi"; metadata:service smtp; reference:url,www.spywareremove.com/removeZhangpo.html; classtype:trojan-activity; sid:9328; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.af smtp propagation detection"; flow:to_server,established; content:"QWxldmlydXMgTmV0U2t5LWIgQ3JhY2tlZCBBbmluaGFBTUFWQyE"; metadata:service smtp; reference:url,www.f-secure.com/v-descs/netsky-af.shtml; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NETSKY.AF; classtype:trojan-activity; sid:9327; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER netsky.p smtp propagation detection"; flow:to_server,established; content:"Yid5ICdT|0D 0A|J2sneSdOJ2UndCcuJ0MnWicgJ0MnbydyJ3AqJwAAJ0QncidvJ3AncCdlJ2QnUydrJ3knTidl|0D 0A|J3QnACdTJ2sneSdOJ2UndCdGJ2knZydoJ3QncydCJ2EnYydrAAAAAHVzZXJj"; metadata:service smtp; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2004-032110-4938-99&tabid=2; reference:url,www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FNETSKY%2EP&VSect=T; classtype:trojan-activity; sid:9326; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger nicespy runtime detection - smtp"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"JMail"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Dimac"; distance:0; nocase; content:"NiceSpy's"; nocase; content:"email"; distance:0; nocase; content:"assistant"; distance:0; nocase; pcre:"/^X-Mailer\x3a[^\r\n]*JMail[^\r\n]*by[^\r\n]*Dimac/smi"; pcre:"/^NiceSpy\x27s\s+email\s+assistant/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097309; classtype:successful-recon-limited; sid:8544; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware deluxecommunications runtime detection - display popup ads"; flow:to_server,established; content:"/ip"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"pc_id="; nocase; http_uri; content:"pck_id="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"info="; nocase; http_uri; content:"link="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"media.dxcdirect.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*media\x2Edxcdirect\x2Ecom/smiH"; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099974; classtype:successful-recon-limited; sid:8543; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware deluxecommunications runtime detection - collect info"; flow:to_server,established; content:"/requestimpression.aspx"; fast_pattern; nocase; http_uri; content:"ver="; nocase; http_uri; content:"guid="; nocase; http_uri; content:"host="; nocase; http_uri; content:"Host|3A| media.dxcdirect.com"; nocase; http_header; metadata:service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453099974; classtype:successful-recon-limited; sid:8542; rev:14;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger netobserve runtime detection - remote login response"; flow:established,to_client; content:"Server|3A|"; nocase; http_header; content:"NETObserve"; nocase; http_header; pcre:"/^Server\x3a[^\r\n]*NETObserve/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=354; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490; classtype:successful-recon-limited; sid:8467; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger netobserve runtime detection - email notification"; flow:to_server,established; flowbits:isset,NETObserve_SMTP; content:"NETObserve"; nocase; content:"Requested"; distance:0; nocase; content:"Information"; distance:0; nocase; pcre:"/^NETObserve\s+Requested\s+Information/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=354; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490; classtype:successful-recon-limited; sid:8466; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger netobserve runtime detection - email notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"NETObserve"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*NETObserve/smi"; flowbits:set,NETObserve_SMTP; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=354; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073490; classtype:successful-recon-limited; sid:8465; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware duduaccelerator runtime detection - trace login info"; flow:to_server,established; content:"/login_cn.html"; nocase; http_uri; content:"guid="; nocase; http_uri; content:"mid="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dddlogin.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dddlogin\x2Edudu\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2550; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969; classtype:successful-recon-limited; sid:8463; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware duduaccelerator runtime detection - trace info downloaded"; flow:to_server,established; content:"/rep/dlinfo.html"; fast_pattern; nocase; http_uri; content:"url="; nocase; http_uri; content:"page="; nocase; http_uri; content:"product="; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"dddrep.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*dddrep\x2Edudu\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2550; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969; classtype:successful-recon-limited; sid:8462; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware duduaccelerator runtime detection - send userinfo"; flow:to_server,established; content:"/ddd2/report_userinfo.asp"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"ddduser.dudu.com"; nocase; http_header; pcre:"/^Host\x3a[^\r\n]*ddduser\x2Edudu\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=2550; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097969; classtype:successful-recon-limited; sid:8461; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send alert out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy"; nocase; content:"Alert"; distance:0; nocase; pcre:"/^SpyBuddy\s+Alert/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8357; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection - send log out through email"; flow:to_server,established; flowbits:isset,SpyBuddy_SMTP; content:"SpyBuddy"; nocase; content:"Activity"; distance:0; nocase; content:"Logs"; distance:0; pcre:"/^SpyBuddy\s+Activity\s+Logs/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=21; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097719; classtype:successful-recon-limited; sid:8356; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spybuddy 3.72 runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"SpyBuddy"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*SpyBuddy/smi"; flowbits:set,SpyBuddy_SMTP; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:8355; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger EliteKeylogger runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"<logs@logs.com>"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*\x3Clogs\x40logs\x2Ecom\x3E/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=814; classtype:successful-recon-limited; sid:7857; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware winsysba-a runtime detection - track surfing activity"; flow:to_server,established; content:"/url_sp2.asp"; fast_pattern; nocase; http_uri; content:"keyword="; nocase; http_uri; content:"url="; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"vb"; nocase; http_header; content:"wininet"; nocase; http_header; pcre:"/^User-Agent\x3A[^\r\n]*vb\s+wininet/smiH"; metadata:service http; reference:url,secunia.com/virus_information/26844/winsysba-a/; classtype:successful-recon-limited; sid:7856; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger clogger 1.0 runtime detection - send log through email"; flow:to_server,established; flowbits:isset,Clogger_SendLogOut2; content:"<----------- Fin du Fichier ----------- >"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=824; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068235; classtype:successful-recon-limited; sid:7847; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger clogger 1.0 runtime detection"; flow:to_server,established; flowbits:isset,Clogger_SendLogOut1; content:"|23 23 23 23|"; nocase; content:"Fen|EA|tre |3A|"; distance:0; nocase; content:"|23 23 23 23|"; distance:0; nocase; pcre:"/\x23\x23\x23\x23\s+Fen\xeatre\s+\x3a[^\r\n]*\x23\x23\x23\x23/smi"; flowbits:set,Clogger_SendLogOut2; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7846; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger clogger 1.0 runtime detection"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"Keylogger"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*Keylogger/smi"; flowbits:set,Clogger_SendLogOut1; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7845; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spyoutside runtime detection - email delivery"; flow:to_server,established; content:"From|3A|"; nocase; content:"SpyOuTSiDe@CurrenTChaoS.Tk"; distance:0; nocase; pcre:"/^From\x3A\s+SpyOuTSiDe\x40CurrenTChaoS\x2ETk/smi"; content:"Subject|3A|"; nocase; content:"SpYOuTSiDe"; distance:0; nocase; content:"transmission"; distance:0; nocase; content:"with"; distance:0; nocase; content:"log"; distance:0; nocase; pcre:"/^Subject\x3A\s+\x5B\d+\x5D\x2D\s+SpYOuTSiDe\s+transmission\s+with\s+log\s+\x2D/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.spyoutside.html; classtype:successful-recon-limited; sid:7837; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spy lantern keylogger runtime detection"; flow:to_server,established; flowbits:isset,LanternKeylogger; content:"filename="; nocase; content:".ltr"; distance:0; nocase; pcre:"/filename=\x22[^\r\n]*\x2Eltr\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083297; classtype:successful-recon-limited; sid:7597; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spy lantern keylogger runtime detection - flowbit set"; flow:to_server,established; content:"Hello."; nocase; content:"This"; distance:0; nocase; content:"letter"; distance:0; nocase; content:"contains"; distance:0; nocase; content:"logfile"; distance:0; nocase; content:"from"; distance:0; nocase; pcre:"/Hello\x2E\s+This\s+letter\s+contains\s+logfile\s+from/smi"; flowbits:set,LanternKeylogger; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083297; classtype:successful-recon-limited; sid:7596; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger keylogger pro runtime detection"; flow:to_server,established; flowbits:isset,KeyloggerPro_SMTP; content:"Keylogger"; nocase; content:"Pro"; distance:0; nocase; content:"Activity"; distance:0; nocase; content:"Logs"; distance:0; pcre:"/^Keylogger\s+Pro\s+Activity\s+Logs/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spyany.com/keylogger.html; classtype:successful-recon-limited; sid:7592; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger keylogger pro runtime detection - flowbit set"; flow:to_server,established; content:"From|3A|"; nocase; content:"Keylogger-Pro"; distance:0; nocase; pcre:"/^From\x3a[^\r\n]*Keylogger-Pro/smi"; flowbits:set,KeyloggerPro_SMTP; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7591; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger proagent 2.0 runtime detection"; flow:to_server,established; content:"HELO"; nocase; content:"ProAgent"; distance:0; nocase; pcre:"/^HELO\s+ProAgent/smi"; content:"From|3A|"; nocase; content:"ProAgent"; distance:0; nocase; pcre:"/^From\x3A\s+\x22ProAgent\s+v\d+\x2E\d+\x22/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.2-spyware.com/remove-trojanspy-win32-proagent.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076925; classtype:successful-recon-limited; sid:7574; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware webhancer runtime detection"; flow:to_server,established; content:"POST"; depth:4; nocase; content:"X-AT|3A|"; nocase; http_header; content:"X-CI|3A|"; nocase; http_header; content:"Host|3A|"; nocase; http_header; content:"webhancer.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*webhancer\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=26; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=43482; classtype:successful-recon-limited; sid:7568; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - opt out of interstitial advertising"; flow:to_server,established; content:"/ps/ps_uninstaller.exe"; fast_pattern; nocase; http_uri; content:"Host|3A|"; nocase; http_header; content:"www.purityscan.com"; nocase; http_header; pcre:"/^Host\x3A[^\r\n]*www\x2Epurityscan\x2Ecom/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7561; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - self update"; flow:to_server,established; content:"/query.php"; fast_pattern; nocase; http_uri; content:"v="; nocase; content:"b="; distance:0; nocase; content:"vt="; distance:0; nocase; content:"c="; distance:0; nocase; content:"os="; distance:0; nocase; content:"lang="; distance:0; nocase; content:"pl="; distance:0; nocase; content:"z="; distance:0; nocase; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7560; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - track user activity and status"; flow:to_server,established; content:"/count.cgi?clickspring"; nocase; http_uri; content:"www.clickspring.net/cs/pop4/frame_ver2.html"; fast_pattern; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7559; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - installation notify"; flow:to_server,established; content:"/install/notify.php?"; fast_pattern; nocase; http_uri; content:"pid="; nocase; http_uri; content:"module="; nocase; http_uri; content:"v="; nocase; http_uri; content:"b="; nocase; http_uri; content:"result="; nocase; http_uri; content:"message="; nocase; http_uri; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7558; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware purityscan runtime detection - start up"; flow:to_server,established; content:"/cs/pop4/"; fast_pattern; nocase; http_uri; content:".html"; nocase; http_uri; pcre:"/\x2Fcs\x2Fpop4\x2F((frame_ver2)|(UI2))\x2Ehtml/Ui"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=618; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073488; classtype:successful-recon-limited; sid:7557; rev:12;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ardamax keylogger runtime detection - ftp"; flow:to_server,established; content:"{D082139B-D5E4-4e63-B866-9BFC97880A48}"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=526; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094248; classtype:successful-recon-limited; sid:7552; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ardamax keylogger runtime detection - smtp"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"ATL"; distance:0; nocase; content:"CSmtp"; distance:0; nocase; content:"Class"; distance:0; nocase; content:"Mailer"; distance:0; nocase; content:"by"; distance:0; nocase; content:"Robert"; distance:0; nocase; content:"Simpson"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*ATL\s+CSmtp\s+Class\s+Mailer\s+by\s+Robert\s+Simpson\s+\x28robert\x40blackcastlesoft\x2Ecom\x29/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=526; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453094248; classtype:successful-recon-limited; sid:7551; rev:9;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 15165 (msg:"MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection"; content:"|1D BA 0B FB|d|5C 86 E1 DA 83|BC|B6 04 E0|^|0A|@|C5 D4 00 00 00 00 00 00 00 00|"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=343; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35592; classtype:successful-recon-limited; sid:7549; rev:8;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 15165 (msg:"MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent up notification"; content:"|00 00 00 00 00 00 00 00|"; depth:8; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=343; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35592; classtype:successful-recon-limited; sid:7548; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 15164 (msg:"MALWARE-OTHER Keylogger activity monitor 3.8 runtime detection - agent status monitoring"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=343; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=35592; classtype:successful-recon-limited; sid:7547; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger PerfectKeylogger runtime detection"; flow:to_server,established; flowbits:isset,PerfectKeylogger2; content:"This is a Perfect Keylogger report"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=588; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333; classtype:successful-recon-limited; sid:7546; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 2"; flow:to_server,established; flowbits:isset,PerfectKeylogger1; content:"filename=|22|keystrokes.html|22|"; depth:300; nocase; flowbits:set,PerfectKeylogger2; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=588; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333; classtype:successful-recon-limited; sid:7545; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger PerfectKeylogger runtime detection - flowbit set 1"; flow:to_server,established; content:"X-Mailer|3A| CSMTPConnection"; depth:256; nocase; flowbits:set,PerfectKeylogger1; flowbits:noalert; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=588; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073333; classtype:successful-recon-limited; sid:7544; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger starlogger runtime detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"|22|StarLogger|22|"; distance:0; nocase; content:"Subject|3A| StarLogger information"; distance:0; nocase; content:"Please find attached the StarLogger log file named"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=922; classtype:successful-recon-limited; sid:7541; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger eye spy pro 1.0 runtime detection"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"Eye"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"Pro"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*Eye\s+Spy\s+Pro/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.softslist.com/download-9-50-20783.html; classtype:successful-recon-limited; sid:7539; rev:9;)
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger watchdog runtime detection - remote monitoring"; flow:to_client,established; content:"Server|3A|"; nocase; http_header; content:"WatchDog"; fast_pattern:only; http_header; content:"Server"; nocase; http_header; pcre:"/Server\x3a[^\r\n]*WatchDog[^\r\n]*Server/smiH"; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7515; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger watchdog runtime detection - send out info to server periodically"; flow:to_server,established; content:"S|3A|Users"; fast_pattern:only; pcre:"/^S\x3aUsers\x5c\d+\x2cSTATSTimeTotal/smi"; metadata:impact_flag red; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7514; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger watchdog runtime detection - init connection"; flow:to_server,established; flowbits:isset,WatchDog_Init_Connection; content:"I|3A|NAME|3A|"; fast_pattern:only; pcre:"/^I\x3aNAME\x3a/smi"; metadata:impact_flag red; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7513; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Keylogger watchdog runtime detection - init connection - flowbit set"; flow:to_client,established; content:"N|3A|UC|3A|"; fast_pattern:only; pcre:"/^N\x3aUC\x3a\d+\x2c\d+\x2e\d+\x2e\d+\x2e\d+\x2c/smi"; flowbits:set,WatchDog_Init_Connection; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453098060; classtype:successful-recon-limited; sid:7512; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger actualspy runtime detection - smtp"; flow:to_server,established; content:"<title>"; nocase; content:"Actual"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"software"; distance:0; nocase; content:"report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\<title\>Actual\s+Spy\s+software\s+report\<\x2Ftitle\>/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086496; classtype:successful-recon-limited; sid:7505; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 20 (msg:"MALWARE-OTHER Keylogger actualspy runtime detection - ftp-data"; flow:to_client,established; content:"<title>"; nocase; content:"Actual"; distance:0; nocase; content:"Spy"; distance:0; nocase; content:"software"; distance:0; nocase; content:"report"; distance:0; nocase; content:"</title>"; distance:0; nocase; pcre:"/\<title\>Actual\s+Spy\s+software\s+report\<\x2Ftitle\>/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086496; classtype:successful-recon-limited; sid:7504; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware shopathome runtime detection - setcookie request"; flow:to_server,established; content:"/setcookie.asp?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"s="; nocase; http_uri; content:"Referer|3A|"; nocase; http_header; content:"discounts.shopathome.com/frameset.asp?"; nocase; http_header; pcre:"/^Referer\x3A[^\r\n]*http\x3A\x2F\x2Fdiscounts\x2Eshopathome\x2Ecom\x2Fframeset\x2Easp\?/smiH"; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=700; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076082; classtype:successful-recon-limited; sid:7189; rev:8;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger kgb Keylogger runtime detection"; flow:to_server,established; content:"filename="; nocase; content:"zip"; distance:0; nocase; pcre:"/filename\x3D\x22[^\r\n]*?\x2D\d+\x5F\d+\x5F\d+\x2D\d+\x5F\d+\x5F\d+\s+[AP]M\x2Ezip/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1328; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096494; classtype:successful-recon-limited; sid:7186; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger 007 spy software runtime detection - ftp"; flow:to_server,established; content:"STOR"; fast_pattern:only; pcre:"/^STOR\s+\x2E\x2F(kys|scr|Apps|Urls)[0-9]+\x2Etxt/smi"; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1137; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082794; classtype:successful-recon-limited; sid:7185; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger 007 spy software runtime detection - smtp"; flow:to_server,established; content:"From|3A| |22|007 Spy Agent|22|"; nocase; content:"Subject|3A| 007 Monitoring Log Report"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1137; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082794; classtype:successful-recon-limited; sid:7184; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection"; flow:to_client,established; flowbits:isset,DesktopDetective_InitConnection2; content:"|FE FE FE FE|90|00 00|"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=349; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060318; classtype:successful-recon-limited; sid:7180; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection"; flow:to_server,established; flowbits:isset,DesktopDetective_InitConnection1; content:"|FE FE FE FE 00 00 00 00|"; depth:8; content:"DDController"; distance:0; nocase; flowbits:set,DesktopDetective_InitConnection2; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7179; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger desktop detective 2000 runtime detection - init connection"; flow:to_client,established; content:"|FE FE FE FE|90|00 00|"; depth:8; content:"Private"; distance:0; nocase; content:"Server,"; distance:0; nocase; content:"Login"; distance:0; nocase; content:"Required"; distance:0; nocase; flowbits:set,DesktopDetective_InitConnection1; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:successful-recon-limited; sid:7178; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - info send through email"; flow:to_server,established; content:"From|3A|"; nocase; content:"<logs@dummyserver.com>"; distance:0; content:"Subject|3A|"; nocase; content:"Logs"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"Built-in Mail"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050; classtype:successful-recon-limited; sid:7177; rev:10;)
# alert tcp $HOME_NET 868 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve"; flow:to_client,established; flowbits:isset,ABSystemSpy_LogRetrieve; content:"FILEINFO|7C|"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050; classtype:successful-recon-limited; sid:7176; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 868 (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - log retrieve"; flow:to_server,established; content:"Send me the logs, please"; flowbits:set,ABSystemSpy_LogRetrieve; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7175; rev:6;)
# alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange"; flow:established; flowbits:isset,ABSystemSpy_Inforetrieve4; content:"chkCtr"; depth:6; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076050; classtype:successful-recon-limited; sid:7169; rev:9;)
alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 4"; flow:established; flowbits:isset,ABSystemSpy_Inforetrieve3; content:"chkCap"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve4; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7168; rev:7;)
alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 3"; flow:established; flowbits:isset,ABSystemSpy_Inforetrieve2; content:"chkCli"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve3; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7167; rev:8;)
alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 2"; flow:established; flowbits:isset,ABSystemSpy_Inforetrieve1; content:"chkShe"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve2; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7166; rev:8;)
alert tcp $HOME_NET 868 <> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger ab system spy runtime detection - information exchange - flowbit set 1"; flow:established; content:"chkLis"; depth:6; flowbits:set,ABSystemSpy_Inforetrieve1; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=591; classtype:successful-recon-limited; sid:7165; rev:8;)
# alert tcp $HOME_NET 10050 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - execute file server-to-client"; flow:to_client,established; flowbits:isset,winspy_execute_client-to-server; content:"/RF|16|"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7164; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - execute file client-to-server"; flow:to_server,established; content:"/RF"; fast_pattern:only; pcre:"/\x2FRF[^\r\n]*\x16/smi"; flowbits:set,winspy_execute_client-to-server; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7163; rev:6;)
# alert tcp $HOME_NET 10050 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - download file server-to-client"; flow:to_client,established; flowbits:isset,winspy_download_client-to-server; content:"/CU"; fast_pattern:only; pcre:"/\x2FCU[^\r\n]*\x18\d+\x18\x16/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7162; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - download file client-to-server"; flow:to_server,established; content:"/CD"; fast_pattern:only; pcre:"/\x2FCD[^\r\n]*\x18\x16/smi"; flowbits:set,winspy_download_client-to-server; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7161; rev:6;)
# alert tcp $HOME_NET 10050 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - upload file server-to-client"; flow:to_client,established; flowbits:isset,winspy_upload_client-to-server; content:"/CK|16|"; fast_pattern:only; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7160; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - upload file client-to-server"; flow:to_server,established; content:"/CU"; nocase; content:"True"; distance:0; nocase; pcre:"/\x2FCU[^\r\n]*\x18\d+\x18True\x18\x16/smi"; flowbits:set,winspy_upload_client-to-server; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7159; rev:5;)
# alert tcp $HOME_NET 10050 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - remote conn server-to-client"; flow:to_client,established; flowbits:isset,winspy_conn_client-to-server; content:"/CK|16|"; depth:4; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7158; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10050 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - remote conn client-to-server"; flow:to_server,established; content:"/CLUserName|18|Password|16|"; depth:21; nocase; flowbits:set,winspy_conn_client-to-server; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7157; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger win-spy runtime detection - email delivery"; flow:to_server,established; content:"X-Mailer|3A|"; nocase; content:"_ANSMTP_"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"LOG"; distance:0; nocase; content:"FILE"; distance:0; nocase; content:"Current"; distance:0; nocase; content:"User|3A|"; distance:0; nocase; pcre:"/^X-Mailer\x3A[^\r\n]*_\d+_ANSMTP_\d+_.*Subject\x3A[^\r\n]*LOG\s+FILE\s+Current\s+User\x3A/smi"; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,securityresponse.symantec.com/avcenter/venc/data/spyware.winspy.html; reference:url,www.spywareguide.com/product_show.php?id=715; classtype:successful-recon-limited; sid:7156; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger active keylogger home runtime detection"; flow:to_server,established; content:"Active"; nocase; content:"Keylogger"; distance:0; nocase; content:"Home"; distance:0; nocase; content:"Report"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1720; classtype:successful-recon-limited; sid:7154; rev:9;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 15165 (msg:"MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent up notification"; content:"|00 00 00 00 0A 02 08 A6|"; depth:8; content:"|02 00 00|v"; distance:0; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=879; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982; classtype:successful-recon-limited; sid:6386; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 15164 (msg:"MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent status monitoring"; content:"|0A 02 08 FE 00|"; depth:5; offset:4; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=879; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982; classtype:successful-recon-limited; sid:6385; rev:8;)
# alert udp $EXTERNAL_NET any -> 255.255.255.255 15164 (msg:"MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - agent discover broadcast"; flow:to_server; content:"|00|]B|00 0A 02 08 FE 01 FC 12 00|"; depth:12; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=879; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982; classtype:successful-recon-limited; sid:6384; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 15163 (msg:"MALWARE-OTHER Keylogger stealthwatcher 2000 runtime detection - tcp connection setup"; flow:to_server,established; content:"|04 00 00 00|"; depth:4; content:"|FF D8 FF E0 00 10|JFIF|00 01 01 00 00 00 00 00 00 00 FF DB 00|C|00 08 06 06 07 06 05 08 07 07 07 09 09 08 0A 0C 14 0D 0C 0B 0B 0C 19 12 13 0F 14 1D 1A 1F 1E 1D 1A 1C 1C| |24|.' |22|,|23 1C 1C 28|7|29|,01444|1F|'9=82<.342|FF DB 00|C|01|"; distance:0; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=879; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075982; classtype:successful-recon-limited; sid:6383; rev:6;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Sony rootkit runtime detection"; flow:to_server,established; content:"User-Agent|3A|"; nocase; http_header; content:"SecureNet"; fast_pattern; nocase; http_header; content:"Xtra"; distance:0; nocase; pcre:"/^User-Agent\x3A[^\r\n]*SecureNet\s+Xtra/smiH"; pcre:"/^Host\x3A[^\r\n]*sonymusic\x2Ecom/smiH"; metadata:service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.schneier.com/blog/archives/2005/11/sonys_drm_rootk.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096362; classtype:misc-activity; sid:6365; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger handy keylogger runtime detection"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"Handy Keylogger|3A|"; distance:0; nocase; content:"PRODUCED BY HANDY KEYLOGGER LOG PARSER"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1103; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096599; classtype:successful-recon-limited; sid:6340; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger computerspy runtime detection"; flow:to_server,established; content:"From|3A| keys<keys@hotpop.com>"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=449; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072991; classtype:successful-recon-limited; sid:6221; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger boss everyware runtime detection"; flow:to_server,established; content:"X-Mailer|3A| Boss Everyware"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.scanspyware.net/info/BossEveryWare.htm; reference:url,www.spywareguide.com/product_show.php?id=4; classtype:successful-recon-limited; sid:6220; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger winsession runtime detection - ftp"; flow:to_server,established; content:"_WinSession Logger.clk"; fast_pattern:only; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097713; classtype:successful-recon-limited; sid:6208; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger winsession runtime detection - smtp"; flow:to_server,established; content:"===========>"; nocase; content:"WinSession Logger"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453097713; classtype:successful-recon-limited; sid:6207; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger eblaster 5.0 runtime detection"; flow:to_server,established; content:"X-SpectorSerial|3A|"; nocase; content:"X-SpectorMachineID|3A|"; fast_pattern:only; content:"X-SpectorBuild|3A|"; nocase; content:"eBlaster"; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=8; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090687; classtype:successful-recon-limited; sid:6190; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 2"; flow:to_server,established; content:"/fs-bin/swat?"; nocase; http_uri; content:"lsnsig="; nocase; http_uri; content:"offerid="; nocase; http_uri; content:"Referer|3A| e2give.com"; fast_pattern; nocase; http_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5909; rev:11;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware e2give runtime detection - redirect affiliate site request 1"; flow:to_server,established; content:"/fs-bin/click?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"offerid="; nocase; http_uri; content:"type="; nocase; http_uri; content:"Referer|3A| e2give.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5908; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware e2give runtime detection - check update"; flow:to_server,established; content:"/go/check?"; nocase; http_uri; content:"build="; nocase; http_uri; content:"source="; nocase; http_uri; content:"Host|3A| e2give.com"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,www.spywareguide.com/product_show.php?id=1226; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075049; classtype:successful-recon-limited; sid:5907; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spyagent runtime detect - alert notification"; flow:to_server,established; content:"This is an alert notification from SpyAgent"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5882; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger spyagent runtime detect - ftp delivery"; flow:to_server,established; content:"STOR spyagent-log"; fast_pattern:only; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips alert, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5881; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger spyagent runtime detect - smtp delivery"; flow:to_server,established; content:"Computer IP Address|3A|"; nocase; content:"Attached to this email are the activity logs that you have requested"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=22; classtype:successful-recon-limited; sid:5880; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware ucmore runtime detection - click sponsor/ad link"; flow:to_server,established; content:"/click.asp?"; nocase; http_uri; content:"Host|3A| sponsor2.ucmore.com"; fast_pattern:only; metadata:service http; reference:url,www.spywareguide.com/product_show.php?id=776; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=58660; classtype:successful-recon-limited; sid:5839; rev:9;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Trackware myway speedbar runtime detection - switch engines"; flow:to_server,established; content:"PG=SPEEDBAR"; nocase; http_uri; pcre:"/\.(jsp|html)\?[^\r\n]*PG=SPEEDBAR/Ui"; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy security-ips drop, service http; reference:url,www.adwarereport.com/mt/archives/000062.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453090405; classtype:successful-recon-limited; sid:5805; rev:13;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger pc actmon pro runtime detection - smtp"; flow:to_server,established; content:"X-Sender|3A| ActMon"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1989; classtype:successful-recon-limited; sid:5790; rev:11;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwae urls browsed log"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE URLS Browsed LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5784; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwae keystrokes log"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE Keystrokes LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5783; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwae word filtered echelon log"; flow:to_server,established; content:"Subject|3A| HWAE Word Filtered Echelon LOG"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5782; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwae windows activity logs"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWAE Windows Activity LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5781; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwpe word filtered echelon log"; flow:to_server,established; content:"Subject|3A| HWPE Word Filtered Echelon LOG"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5780; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwpe shell file logs"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWPE Shell/File LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5779; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger runtime detection - hwpe windows activity logs"; flow:to_server,established; content:"Subject|3A| "; nocase; content:"HWPE Windows Activity LOG"; distance:0; nocase; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=436; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080851; classtype:successful-recon-limited; sid:5778; rev:9;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger gurl watcher runtime detection"; flow:to_server,established; content:"X-Mailer|3A| GURL Watcher"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=503; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080847; classtype:successful-recon-limited; sid:5777; rev:10;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-OTHER Keylogger fearlesskeyspy runtime detection"; flow:to_server,established; content:"STOR"; nocase; content:"FKS_"; distance:0; nocase; pcre:"/^STOR\s+FKS_\w+_\d+-\d+-\d+\.log/i"; metadata:service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=553; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076298; classtype:successful-recon-limited; sid:5759; rev:7;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Keylogger activitylogger runtime detection"; flow:to_server,established; content:"X-Mailer|3A| SoftActivity Mailer"; fast_pattern:only; metadata:service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=32; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080822; classtype:successful-recon-limited; sid:5742; rev:11;)
# alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10;)
# alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"MALWARE-OTHER mstream client to handler"; flow:to_server,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream agent pong to handler"; flow:to_server; content:"pong"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream handler ping to agent"; flow:to_server; content:"ping"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream handler to agent"; flow:to_server; content:"stream/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"MALWARE-OTHER mstream agent to handler"; flow:to_server; content:"newserver"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:8;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"MALWARE-OTHER shaft agent to handler"; flow:to_server; content:"alive"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"MALWARE-OTHER shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:237; rev:11;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:235; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:234; rev:9;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:233; rev:11;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11;)
# alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER shaft client login to handler"; flow:to_client,established; content:"login|3A|"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:13;)
# alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] (msg:"MALWARE-OTHER Trin00 Daemon to Master PONG message detected"; flow:to_server; content:"PONG"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:223; rev:13;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default Internet Widgits Pty Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A 13 18|Internet Widgits Pty Ltd"; fast_pattern:only; metadata:impact_flag red, service ssl; reference:url,attack.mitre.org/techniques/T1078; reference:url,blog.talosintel.com/2011/07/do-you-really-trust-that-certificate.html; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:19551; rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.HackBack file upload attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27060; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.HackBack file download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"Interview_Venue_and_Questions.app/Contents/MacOS/FileBackupUX"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/172d54f2ed2c422ab063c57d00c8ed44fcb2f18aa068a289308a1207d79de42d/analysis/; classtype:trojan-activity; sid:27059; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27056; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Yakes download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:":|5C|Motor Life|5C|Rotor.pdb"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/f0c7b3c9dfc89a45b4131974ea5a6ab0/analysis/; classtype:trojan-activity; sid:27055; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Trojan.Java.JVDrop.A jar file download attempt"; flow:to_server,established; flowbits:isset,file.jar; file_data; content:"WebEnhancer.class"; fast_pattern:only; content:"META-INF/SIGNAPPL.SF"; content:"META-INF/SIGNAPPL.DSA"; within:30; distance:40; content:"win"; within:170; distance:150; nocase; content:"mac"; within:20; distance:60; nocase; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/53cd1d6a1cc64d4e8275a22216492b76db186cfb38cec6e7b3cfb7a87ccb3524/analysis/; classtype:trojan-activity; sid:27053; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Trojan.Java.JVDrop.A jar file download attempt"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"WebEnhancer.class"; fast_pattern:only; content:"META-INF/SIGNAPPL.SF"; content:"META-INF/SIGNAPPL.DSA"; within:30; distance:40; content:"win"; within:170; distance:150; nocase; content:"mac"; within:20; distance:60; nocase; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/53cd1d6a1cc64d4e8275a22216492b76db186cfb38cec6e7b3cfb7a87ccb3524/analysis/; classtype:trojan-activity; sid:27052; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27051; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Dokstormac file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"wrUz2WzrY5v/P3E8LObWW7nrH4/a"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/9576c9d64a8eaefb1c76e099cba98813/analysis/; classtype:trojan-activity; sid:27050; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Backdoor.Transhell file download"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"Hello,Hell!"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/file/204c13f7ed2d3e5c78f3ef8a44eb561c/analysis/; classtype:trojan-activity; sid:27035; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Backdoor.Transhell file download"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"Hello,Hell!"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/204c13f7ed2d3e5c78f3ef8a44eb561c/analysis/; classtype:trojan-activity; sid:27034; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UNIX.Trojan.Netweird.A file download attempt"; flow:to_client,established; file_data; content:"/bin/sh|00|/bin/bash"; nocase; content:"libmozsqlite3"; within:100; nocase; content:"opera/wand.dat"; within:50; distance:400; nocase; content:"Exec=|22|%s|22|"; within:50; distance:500; nocase; content:"%.2d/%.2d/%d %.2d:%.2d:%.2d"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/257da8c8b296dac6b029004ed06253fe622c5438b4a47b7dfbb87323b64f50a1/analysis/1354885571/; classtype:trojan-activity; sid:27025; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Netweird.A file download attempt"; flow:to_client,established; file_data; content:"/bin/sh|00|/bin/bash"; nocase; content:"Opera/wand.dat"; within:100; nocase; content:"libmozsqlite3.dylib"; within:50; distance:114; content:"select *  from moz_logins"; within:50; distance:679; content:"%.2d/%.2d/%d %.2d:%.2d:%.2d"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/257da8c8b296dac6b029004ed06253fe622c5438b4a47b7dfbb87323b64f50a1/analysis/1354885571/; classtype:trojan-activity; sid:27024; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Pintsized file download attempt"; flow:to_client,established; file_data; content:"<plist><dict>"; depth:15; offset:8; nocase; content:"<string>/usr/bin/perl</string>"; within:256; nocase; content:"use Socket|3B|"; within:128; nocase; content:"open(STDIN"; within:512; nocase; content:"|3B|exec(|22|/bin/sh -i"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/490d6a45bd7e5ee265373f46fd00e98ff2eb854c0ceda024aa3adaefd947202f/analysis/; classtype:trojan-activity; sid:27198; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Pintsized file download attempt"; flow:to_client,established; file_data; content:"<plist><dict>"; depth:15; offset:8; nocase; content:"<string>/Users/"; within:128; nocase; content:"/.cups/cupsd</string><string>-z</string>"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/3b829abe42252b2fa8d304b93a35090c23f3702ad048adfdd03942f77e0f5a66/analysis/; classtype:trojan-activity; sid:27197; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER IFRAMEr Tool code injection attack"; flow:to_client,established; file_data; content:"a=0|3B|z=|22|y|22 3B|try{a*=25}catch("; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:url,malwaremustdie.blogspot.jp/2013/07/proof-of-concept-of-cookiebomb-attack.html; classtype:misc-activity; sid:27229; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Janicab file download attempt"; flow:to_client,established; file_data; content:"RecentNews|2E E2 80 AE|fdp.app"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.f-secure.com/weblog/archives/00002576.html; classtype:attempted-admin; sid:27228; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--0c0896-->"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27550; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Osx.Trojan.Janicab file download attempt"; flow:to_server,established; flowbits:isset,file.pyc; file_data; content:"Libs/Starter"; fast_pattern:only; pcre:"/Libs\/Starter(CmdExec|NetUtils|Rec|ScreenShots|Settings)\.py/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27549; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Osx.Trojan.Janicab file download attempt"; flow:to_client,established; flowbits:isset,file.pyc; file_data; content:"Libs/Starter"; fast_pattern:only; pcre:"/Libs\/Starter(CmdExec|NetUtils|Rec|ScreenShots|Settings)\.py/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2012-0158; reference:url,www.virustotal.com/file/3bc13adad9b7b60354d83bc27a507864a2639b43ec835c45d8b7c565e81f1a8f/analysis/; classtype:trojan-activity; sid:27548; rev:3;)
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|"; content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag red, ruleset community, service ssl; reference:url,attack.mitre.org/techniques/T1078; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:27565; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Fake Adobe Flash Player malware binary requested"; flow:to_server,established; content:"&filename=Flash Player "; http_uri; content:".exe"; within:8; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27595; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Adobe Flash Player update warning enticing clicks to malware payload"; flow:to_client,established; file_data; content:"WARNING|21| You should update your Flash Player Immediately"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:27594; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Kuluoz outbound download request"; flow:to_server,established; content:"?message="; fast_pattern:only; http_uri; pcre:"/(info|app)\x2ephp\x3fmessage\x3d/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:28006; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt"; flow:to_server,established; file_data; content:"|22|opener: wrote LittleSnitch StartupParameters.plist |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27961; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt"; flow:to_server,established; file_data; content:"|22|opener: Finished move to System Library StartupItems |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27960; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit upload attempt"; flow:to_server,established; file_data; content:"|22|opener: Finished gather system-wide info |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27959; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt"; flow:to_client,established; file_data; content:"|22|opener: wrote LittleSnitch StartupParameters.plist |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27958; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt"; flow:to_client,established; file_data; content:"|22|opener: Finished move to System Library StartupItems |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27957; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER OSX.Trojan.Renepo rootkit download attempt"; flow:to_client,established; file_data; content:"|22|opener: Finished gather system-wide info |22| |3E 3E| |2F|.performance.txt"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b0ac156a6da66af84511438580a392608d4268f6f74caa32af6d693cbbeba0ab/analysis/; classtype:trojan-activity; sid:27956; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Stoberox outbound communication attempt"; flow:to_server,established; urilen:17; content:"LSpJAIj4Xvni"; fast_pattern:only; content:"CONNECT"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/daa4ea82294fa2c1a29a6e45feb67cfc06fa87e5e08d1f9333c989fa298e8d11/analysis/; classtype:trojan-activity; sid:28365; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER SimpleTDS - request to go.php"; flow:to_server,established; content:"/go.php?sid="; fast_pattern:only; http_uri; metadata:service http; reference:url,www.simpletds.com; classtype:misc-activity; sid:28348; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER SimpleTDS - page redirecting to a SimpleTDS"; flow:to_client,established; file_data; content:"/go.php?sid="; pcre:"/\x2Fgo\.php\?sid=\d+/"; metadata:impact_flag red, service http; reference:url,www.simpletds.com; classtype:misc-activity; sid:28347; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Magitart outbound communication attempt"; flow:to_server,established; content:"/nstart.aspx|3F|id|3D|"; fast_pattern:only; http_uri; content:"|26|id2|3D|"; depth:17; offset:28; http_uri; content:"|26|c|3D|"; within:28; distance:20; http_uri; content:"|3B|q|3D|0.1|0D 0A|Accept|2D|Language|3A 20|zh|2D|cn|2C|en|3B|q|3D|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/52cc53b8c6f77d59f3b677674aeeedc4542b5a7aa793253597dee3693f1a6842/analysis/; classtype:trojan-activity; sid:28483; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MALWARE-OTHER SQL Slammer worm propagation attempt inbound"; flow:to_server; content:"|04|"; depth:1; content:"Qh.dll"; fast_pattern:only; content:"sock"; content:"send"; metadata:impact_flag red, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; classtype:trojan-activity; sid:28555; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Backdoor.Tavdig download attempt"; flow:to_server,established; file_data; content:"|76 61 62 6D 75 3F 00 53 68 6E 62 72 61 20 6B 68 77 64 79 61 6A 64 6F 62 20 6D 64 71 78 70 7A 6C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/0b97c87126578113050d8e014e8fefeb33146eebc40e75c070882ec31ae26aab/analysis/; classtype:trojan-activity; sid:28848; rev:3;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Backdoor.Tavdig download attempt"; flow:to_client,established; file_data; content:"|76 61 62 6D 75 3F 00 53 68 6E 62 72 61 20 6B 68 77 64 79 61 6A 64 6F 62 20 6D 64 71 78 70 7A 6C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/0b97c87126578113050d8e014e8fefeb33146eebc40e75c070882ec31ae26aab/analysis/; classtype:trojan-activity; sid:28847; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER multi-hop iframe campaign client-side exploit attempt"; flow:to_client,established; file_data; content:"zc9rvR0pvLDME9FT61C471dmhns=|22|421412|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29025; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER multi-hop iframe campaign client-side exploit attempt"; flow:to_client,established; file_data; content:"B|00|u|00|f|00|f|00|a|00|l|00|o|00 00 00 00 10 00|v|00|i|00|r|00|g|00|i|00|n|00|s"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29024; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER multi-hop iframe campaign client-side exploit attempt"; flow:to_client,established; file_data; content:"=|22|gd|22|+|22|asfg|22 3B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:cve,2011-3402; reference:url,www.webroot.com/blog/2013/11/13/malicious-multi-hop-iframe-campaign-affects-thousands-of-web-sites-leads-to-cve-2011-3402/; reference:url,www.webroot.com/blog/2013/12/09/malicious-multi-hop-iframe-campaign-affects-thousands-web-sites-leads-cocktail-client-side-exploits-part-two/; classtype:trojan-activity; sid:29023; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/xmlrpc/includes/logs/config.bin"; fast_pattern:only; http_uri; content:!"|0D 0A|Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/url/689128c8dfa5e1db7dbf5400635ed4504dc9de8ebcda38549dd44aa15bd999e0/analysis/; classtype:trojan-activity; sid:29013; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/xmlrpc/includes/logs/gate.php"; fast_pattern:only; http_uri; content:!"|0D 0A|Referer|3A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/url/689128c8dfa5e1db7dbf5400635ed4504dc9de8ebcda38549dd44aa15bd999e0/analysis/; classtype:trojan-activity; sid:29012; rev:3;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.InstallMonster variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Opera/9.80 |28|Windows NT 6.1|3B| U|3B| ru|29| Presto/2.8.131 Version/11.10"; fast_pattern:only; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/527562368cd5ba3dd8dc41c51f0998ab225a8dd2273359c4ee7c939d7570d42f/analysis/; classtype:trojan-activity; sid:29124; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Win.Trojan.Esjey outbound communication attempt"; flow:to_server,established; dsize:>50; content:"Subject|3A 20|Server Run|0D 0A|"; fast_pattern:only; content:"Message-ID|3A 20 3C|"; offset:160; content:"|40|"; within:1; distance:40; content:"|3E 0D 0A 0D 0A|"; within:19; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/d8cc615398fdc81d1cbe6424565925f3da3ef8022a3158b043f9fba69a7171c0/analysis/; classtype:trojan-activity; sid:29364; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Java FileDialog heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java|2F|awt|2F|FileDialog"; fast_pattern:only; content:"|01 00 07|setFile|00 21|"; content:"|00 11 00 12 00 00 00 00 00 02 00 01 00 13 00 14 00 01 00 15 00 00 00 1D 00 01 00 01 00 00 00 05|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,48129; reference:cve,2011-0802; classtype:attempted-user; sid:29643; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Java FileDialog heap buffer overflow attempt"; flow:to_server,established; flowbits:isset,file.class; file_data; content:"java|2F|awt|2F|FileDialog"; fast_pattern:only; content:"|01 00 07|setFile|00 21|"; content:"|00 10 00 11 00 00 00 00 00 02 00 01 00 12 00 13 00 01 00 14 00 00 00 1D 00 01 00 01 00 00 00 05|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:bugtraq,48129; reference:cve,2011-0802; classtype:attempted-user; sid:29642; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Java FileDialog heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java|2F|awt|2F|FileDialog"; fast_pattern:only; content:"|01 00 07|setFile|00 21|"; content:"|00 11 00 12 00 00 00 00 00 02 00 01 00 13 00 14 00 01 00 15 00 00 00 1D 00 01 00 01 00 00 00 05|"; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,48129; reference:cve,2011-0802; classtype:attempted-user; sid:29641; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Java FileDialog heap buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.class; file_data; content:"java|2F|awt|2F|FileDialog"; fast_pattern:only; content:"|01 00 07|setFile|00 21|"; content:"|00 10 00 11 00 00 00 00 00 02 00 01 00 12 00 13 00 01 00 14 00 00 00 1D 00 01 00 01 00 00 00 05|"; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:bugtraq,48129; reference:cve,2011-0802; classtype:attempted-user; sid:29640; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 100 (msg:"MALWARE-OTHER Win.Keylogger.Vacky system information disclosure"; flow:to_server,established; content:"|00 00 00 00 00 00 00|"; depth:7; offset:1; content:"|AA AA AA AA|"; within:4; distance:4; fast_pattern; dsize:16; metadata:impact_flag red, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/cb461e5a7891e357dd1be81b68229bb909648fe27c993adab26c0be7508f2c4f/analysis/; classtype:trojan-activity; sid:29918; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:22; content:"/android/sms/index.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&number=&iccid=&model="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30072; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"POST"; http_method; content:"/android/sms/ping.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30071; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"/android/sms/sync.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&iscallhack="; distance:0; http_client_body; content:"&issmshack="; distance:0; http_client_body; content:"&isrecordhack="; distance:0; http_client_body; content:"&isadmin="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30070; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER TDS Sutra - RULEZ cookie"; flow:to_server,established; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:30138; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - RULEZ cookie set"; flow:to_client,established; content:"sutraRULEZcookies"; fast_pattern:only; content:"sutraRULEZcookiessupport"; http_cookie; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:30137; rev:1;)
# alert udp $HOME_NET 53 -> any any (msg:"MALWARE-OTHER Unix.Trojan.Onimiki DNS compromised server response"; flow:to_client; byte_test:1,&,0x04,2; content:"|00 01 00 01 00 01 00 00 38|"; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00/Ris"; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,github.com/eset/malware-ioc; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30273; rev:1;)
# alert udp $HOME_NET any -> any 53 (msg:"MALWARE-OTHER Unix.Trojan.Onimiki redirected client DNS request"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|00 01 00 00 00 00 00 00 38|"; pcre:"/^[a-z0-9]{23}[a-f0-9]{33}.[a-z0-9\-_]+.[a-z0-9\-_]+\x00\x00/Ris"; metadata:policy security-ips drop, service dns; reference:url,github.com/eset/malware-ioc; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30272; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER malicious iframe injection redirect attempt"; flow:to_client,established; file_data; content:"document.write|28 27|<script src=|22|"; content:"type=|22|text/javascript|22|></script>|27 29 3B 20|/*/"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:30325; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt"; flow:to_client,established; content:"filename=FuneralCeremony_"; fast_pattern:only; http_header; content:".zip"; nocase; http_header; file_data; content:"FuneralCeremony_"; content:".exe"; distance:0; nocase; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e8384981832822329d8ccfb125/analysis/1395241815/; classtype:trojan-activity; sid:30569; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established; content:"/cache/pdf_efax_"; fast_pattern:only; http_uri; pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30568; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"pdf_efax_"; fast_pattern:only; content:"PK"; depth:2; content:".pif"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30567; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Wysotot variant download attempt"; flow:to_server,established; content:"/dl/get_tab?type="; fast_pattern:only; http_uri; content:"User-Agent|3A| ElexNetDownload|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,blogs.technet.com/b/mmpc/archive/2014/03/11/msrt-march-2014-wysotot.aspx; classtype:trojan-activity; sid:30946; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.ZBerp variant download attempt"; flow:to_server,established; file_data; content:"|53 00 6E 00 52 00 52 00 20 00 53 00 74 00 75 00 64 00 69 00 6F 00 6E 00 20 00 52 00 65 00 70 00 6F 00 72 00 74 00 20 00 52 00 65 00 6E 00 65 00 77 00 65 00 72 00 69 00 6E 00 67 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/34a06446088d82f9a3c488352d35e7a4c8df9f0c9a042b5af60e013c7ef89c80/analysis/; classtype:trojan-activity; sid:31185; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.ZBerp variant download attempt"; flow:to_client,established; file_data; content:"|53 00 6E 00 52 00 52 00 20 00 53 00 74 00 75 00 64 00 69 00 6F 00 6E 00 20 00 52 00 65 00 70 00 6F 00 72 00 74 00 20 00 52 00 65 00 6E 00 65 00 77 00 65 00 72 00 69 00 6E 00 67 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/34a06446088d82f9a3c488352d35e7a4c8df9f0c9a042b5af60e013c7ef89c80/analysis/; classtype:trojan-activity; sid:31184; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zbot variant download attempt"; flow:to_client,established; file_data; content:"w|00|i|00|g|00|a|00|s|00|t|00|o|00|p|00|o|00|e|00|l|00|a|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/96f42fa992d719c8ca7a84565702458e31b99ee35b2f058691b2477ccc555005/analysis/1403275557/; classtype:trojan-activity; sid:31329; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Game Over Zeus executable download detected"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|60 2E 72 64 61 74 61 00 00 0A 13 00 00 00 50 00 00 00 20 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00|"; content:"|54 02 00 00 00 70 00 00 00 10 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0|"; within:32; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/3FF49706E78067613AA1DCF0174968963B17F15E9A6BC54396A9F233D382D0E6/analysis/; classtype:trojan-activity; sid:31488; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Game Over Zeus executable download detected"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|60 2E 72 64 61 74 61 00 00 0A 13 00 00 00 50 00 00 00 20 00 00 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2E 64 61 74 61 00 00|"; content:"|54 02 00 00 00 70 00 00 00 10 00 00 00 70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0|"; within:32; distance:1; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/3FF49706E78067613AA1DCF0174968963B17F15E9A6BC54396A9F233D382D0E6/analysis/; classtype:trojan-activity; sid:31487; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Injector outbound traffic"; flow:to_server,established; content:"/feed.php?q="; http_uri; content:"&cur.x="; fast_pattern:only; http_uri; content:"cur.y="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/62CAA81EA8D60BDFDC5AE3390AB73560226AC6C353AD8C02814689BEFF83CBB9/analysis/; classtype:trojan-activity; sid:31510; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Graftor variant retrieval of a DLL hosted as a JPG"; flow:to_server,established; urilen:18; content:"/ads/NetSyst67.jpg"; fast_pattern:only; http_uri; content:" Mozilla/4.0 |28|compatible|29|"; nocase; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/38eb7b8b802b0357c0191be4634b2ec6a7d957beac6bfde076532703623991da/analysis/; classtype:trojan-activity; sid:31817; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"DeltaTicket_ET-RM-"; distance:0; nocase; content:".exe"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe; classtype:trojan-activity; sid:32008; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl"; flow:to_client,established; content:"|3A|irc|2D|sinkhole|2E|cert|2E|pl"; fast_pattern:only; content:"|3A|End of MOTD command|2E|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:32260; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Adobe License Key email scam phishing attempt"; flow:to_server,established; content:"Content-Disposition|3A 20|attachment"; nocase; content:"License_Key_"; within:50; fast_pattern; nocase; content:".zip"; within:4; distance:6; nocase; metadata:impact_flag red, service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,virustotal.com/en/file/cd0da726e7bd8a15e67f1088c2e94d3f8ca721ada0b3b1063235582a61b1be0b/analysis/; classtype:trojan-activity; sid:32772; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Adobe Invoice email scam phishing attempt"; flow:to_server,established; content:"Content-Disposition|3A 20|attachment"; nocase; content:"adb-"; within:50; nocase; content:"-invoice.zip"; within:12; distance:6; fast_pattern; nocase; metadata:impact_flag red, service smtp; reference:url,attack.mitre.org/techniques/T1192; reference:url,virustotal.com/en/file/e9a0eded5337ea14ffd6b0da0810c9cd3fba447360949519d582908bd5ee1e1c/analysis/; classtype:trojan-activity; sid:32771; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Download of executable screensaver file"; flow:to_client,established; flowbits:isset,file.screensaver; file_data; content:"MZ"; depth:2; metadata:impact_flag red, service http; reference:url,attack.mitre.org/techniques/T1180; reference:url,www.virustotal.com/en/file/cb7a29d1dec378f94b394ba4df3dc1fe5fe3b8d1d4ca3e70da3a611b67588ae7/analysis/; classtype:policy-violation; sid:32949; rev:2;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 4E 80 F2 79 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32935; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 EA 62 80 F2 B4 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32934; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32933; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32932; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D1 CE D2 D5 A1 C9 D5 D5 D1 A1 D3 C4 D0 D4 C4 D2 D5 BE|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32931; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4F 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4E 67 47 47|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32930; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32929; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|13 2F 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32928; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|09 22 33 30 28 35 2C|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32927; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0C 66 66 66|"; depth:22; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32926; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20 1F|"; depth:23; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32925; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32924; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D3 C4 D2 D1 CE CF D2 C4 A1 B3 B1 B1 A1 CE CA A0 A0 A0|"; depth:18; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32923; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4D 5A 4C 4F 50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|"; depth:22; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32922; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 74 BA F2 B9 75|"; depth:74; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32921; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 64 BA F2 56|"; depth:50; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|C9 06 D9 96 FC 37 23 5A FE F9 40 BA 4C 94 14 98|"; depth:16; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32919; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Bladbindi obfuscated with Yano Obfuscator download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"YanoAttribute"; fast_pattern:only; content:"ObfuscationAttribute"; content:"StripAfterObfuscation"; metadata:policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/b9cf049a38d52f79e2a9c2d84b9bbc5ad39263a8b663cceda5cae12a3bdb65b8/analysis/; classtype:trojan-activity; sid:33208; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt"; flow:established,to_server; flowbits:isset,file.exe; file_data; content:"|D6 09 D9 91 7A 29 69 46 49 F1 0F AE 48 15 A0 AB 1F 41 58 21 80 FB F7 8F C4 19 A9 F7 E7 A4 AE B9|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/f8549c7f866cc31c7ee379134383f96ff38c0a6d7ffbfe93ffedf97351cf254f/analysis/; classtype:trojan-activity; sid:33759; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.CTB-Locker download attempt"; flow:established,to_client; flowbits:isset,file.exe; file_data; content:"|D6 09 D9 91 7A 29 69 46 49 F1 0F AE 48 15 A0 AB 1F 41 58 21 80 FB F7 8F C4 19 A9 F7 E7 A4 AE B9|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f8549c7f866cc31c7ee379134383f96ff38c0a6d7ffbfe93ffedf97351cf254f/analysis/; classtype:trojan-activity; sid:33758; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Downloader.Latekonsul Runtime Detection"; flow:to_server,established; content:"/vod/brig.almador/data.cfg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/6348dd70583de2d740bf861a2892b462446b9a0fd32eb814906516b01c3b08ec/analysis/; classtype:trojan-activity; sid:33874; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Executable control panel file download request"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; content:".cpl"; within:50; distance:26; fast_pattern; nocase; content:!"bin/javacpl.cpl"; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33943; rev:3;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Executable control panel file download request"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"PK|03 04|"; content:".cpl"; within:50; distance:26; fast_pattern; nocase; content:!"bin/javacpl.cpl"; metadata:policy security-ips alert, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33942; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Executable control panel file download request"; flow:to_server,established; content:".cpl"; fast_pattern:only; http_uri; pcre:"/\x2ecpl([\?\x5c\x2f]|$)/smiU"; metadata:policy security-ips alert, service http; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33941; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Executable control panel file attachment detected"; flow:to_server,established; content:".cpl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ecpl[\x22\x27\s]/si"; metadata:policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33940; rev:2;)
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER Executable control panel file attachment detected"; flow:to_client,established; content:".cpl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[\x22\x27]?[^\n]*\x2ecpl[\x22\x27\s]/si"; metadata:policy security-ips drop, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1196; reference:url,support.microsoft.com/en-us/kb/149648; classtype:misc-activity; sid:33939; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Html.Phishing.Crea outbound connection attempt"; flow:to_server,established; content:"SSN3="; http_client_body; content:"CARDEXPYYYY="; fast_pattern:only; http_client_body; content:"mysubmitbutton="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/a4eb48cb408a72cf3596151d6211c0430c60233a010dd943a29dd5eb8a62ee57/analysis/; classtype:trojan-activity; sid:34336; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Downloader.Temvice outbound communication attempt"; flow:to_server,established; content:"User|2D|Agent|3A 20|InetURL"; fast_pattern:only; http_header; content:"|3F|action|3D|"; http_uri; content:"|26|id|3D|"; within:10; http_uri; content:"|3C 3E|"; within:2; distance:23; http_uri; content:"|26|pass|3D|"; within:6; distance:29; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/83CD7C60A97A9E6849713A4F8AB768BB9C72942D9B416A78FF1758D357DB3A29/analysis/; classtype:trojan-activity; sid:28381; rev:5;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Urausy outbound traffic attempt"; flow:to_server,established; urilen:110<>150; content:"/"; http_uri; content:!"/"; distance:0; http_uri; content:".html"; distance:100; content:"|0D 0A|User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Host: "; fast_pattern:only; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, service http; reference:url,www.virustotal.com/en/file/1e58f55d35c71f42c56ddd3b50f3ee32a8632dbd6ced812882f20a8228902a39/analysis/; classtype:trojan-activity; sid:34930; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Adobe Flash exploit download attempt - Group 6"; flow:to_server,established; content:"/en/?1"; fast_pattern:only; http_uri; urilen:6; metadata:impact_flag red, policy max-detect-ips drop, service http; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:trojan-activity; sid:34992; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Group 6 Adobe Flash exploit download attempt"; flow:to_server,established; content:"/en/"; depth:4; nocase; http_uri; content:"=.jpg"; fast_pattern:only; http_uri; content:!"&"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:trojan-activity; sid:34991; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Adobe Flash exploit download attempt - Group 6"; flow:to_server,established; content:"/en/.jpg"; fast_pattern:only; http_uri; urilen:8; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,helpx.adobe.com/security/products/flash-player/apsb15-14.html; classtype:trojan-activity; sid:34990; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Malumpos malware download attempt"; flow:to_server,established; file_data; content:"|69 00 00 00 28 28|b|7C|B|29 5B|0-9|5D 7B|13,19|7D 5C 5E 5B|A-Za-z|5C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/29e45b1b9bdbe9cbc6da7e52259c214143c8322b63759a2d779d2d8c758f7d45/analysis/; classtype:trojan-activity; sid:35004; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Malumpos malware download attempt"; flow:to_client,established; file_data; content:"|69 00 00 00 28 28|b|7C|B|29 5B|0-9|5D 7B|13,19|7D 5C 5E 5B|A-Za-z|5C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/29e45b1b9bdbe9cbc6da7e52259c214143c8322b63759a2d779d2d8c758f7d45/analysis/; classtype:trojan-activity; sid:35003; rev:1;)
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate transfer for EXEPROXY attempt"; flow:to_client,established; ssl_state:server_hello; content:"WashingTon"; fast_pattern:only; content:"WebMaster@Microsoft.com"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ssl; classtype:trojan-activity; sid:36241; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Apple iTunes Connect HTTP response phishing attempt"; flow:to_client,established; file_data; content:"<!-- PHOEN!X -->"; fast_pattern:only; content:"apass"; content:"submit.x"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,virustotal.com/en/url/7eb12819634b67b80fbb6d1cfd3193100b1fbc162e5ff76cfdc31e0a899c0086/analysis/; classtype:trojan-activity; sid:36338; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Worm.Pixipos Outbound Connection Attempt"; flow:to_server,established; content:"/s/gate.php"; fast_pattern:only; http_uri; content:"form-data|3B| name=|22|osc|22||3B| filename=|22|"; offset:64; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/e21fd5ef81573c76276072b9c2c7456c0630bfa823a013dc379530cbdd090922/analysis/1450816646/; classtype:trojan-activity; sid:37222; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Samas variant download attempt"; flow:to_server,established; file_data; content:"M|00|t|00|A|00|e|00|S|00|K|00|e|00|Y|00|F|00|o|00|r|00|F|00|i|00|l|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac/analysis/; classtype:trojan-activity; sid:38280; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Samas variant download attempt"; flow:to_client,established; file_data; content:"M|00|t|00|A|00|e|00|S|00|K|00|e|00|Y|00|F|00|o|00|r|00|F|00|i|00|l|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac/analysis/; classtype:trojan-activity; sid:38279; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Samas variant download attempt"; flow:to_server,established; file_data; content:"M|00|M|00|t|00|t|00|_|00|A|00|e|00|S|00|_|00|K|00|e|00|Y|00|_|00|F|00|o|00|r|00|_|00|F|00|i|00|l|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac/analysis/; classtype:trojan-activity; sid:38361; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Samas variant download attempt"; flow:to_client,established; file_data; content:"M|00|M|00|t|00|t|00|_|00|A|00|e|00|S|00|_|00|K|00|e|00|Y|00|_|00|F|00|o|00|r|00|_|00|F|00|i|00|l|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0f2c5c39494f15b7ee637ad5b6b5d00a3e2f407b4f27d140cd5a821ff08acfac/analysis/; classtype:trojan-activity; sid:38360; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_server,established; file_data; content:"|B8 4F EC C4 4E F7 E1 C1 EA 02 6B D2 0D 8B C1 2B C2 83 F8 08 0F 9F C0 8B D1 C1 FA 05 80 E2 F8 F6 EA 88 84 31|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/f5ab764c439a45ed892a3346f228d36f24d7f2377d4cddc5e82a0566f8521082/analysis/; classtype:trojan-activity; sid:38377; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_server,established; file_data; content:"|8D 30 8B 00 68 78 86 01 10 89 45 D0 FF 15 20 30 01 10 8B 46 08 8D 55 FC 8D 4D E8 C7 45 E8 7C 86 01 10 FF 70|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/9328e0a1c45d7ac10e796f351f749b4b5258a1f9beff70f410a27179a6a876a7/analysis/; classtype:trojan-activity; sid:38376; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_server,established; file_data; content:"|8B 4C 24 0C 8D 84 24 B8 02 00 00 89 44 24 6C B8 00 00 00 80 89 44 24 74 89 44 24 78 89 44 24 7C 89 84 24 80|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0210a8f8e729d1b81bf81e39874af98c379f92fcdf802d6d925eb9e65186dfd3/analysis/; classtype:trojan-activity; sid:38375; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_client,established; file_data; content:"|B8 4F EC C4 4E F7 E1 C1 EA 02 6B D2 0D 8B C1 2B C2 83 F8 08 0F 9F C0 8B D1 C1 FA 05 80 E2 F8 F6 EA 88 84 31|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/f5ab764c439a45ed892a3346f228d36f24d7f2377d4cddc5e82a0566f8521082/analysis/; classtype:trojan-activity; sid:38374; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_client,established; file_data; content:"|8D 30 8B 00 68 78 86 01 10 89 45 D0 FF 15 20 30 01 10 8B 46 08 8D 55 FC 8D 4D E8 C7 45 E8 7C 86 01 10 FF 70|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/9328e0a1c45d7ac10e796f351f749b4b5258a1f9beff70f410a27179a6a876a7/analysis/; classtype:trojan-activity; sid:38373; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_client,established; file_data; content:"|8B 4C 24 0C 8D 84 24 B8 02 00 00 89 44 24 6C B8 00 00 00 80 89 44 24 74 89 44 24 78 89 44 24 7C 89 84 24 80|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0210a8f8e729d1b81bf81e39874af98c379f92fcdf802d6d925eb9e65186dfd3/analysis/; classtype:trojan-activity; sid:38372; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Bewerbungsunterlagen.PDF.exePK"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/37112f3d0def0006ca1445799547a2b501a0b7b6939bba304863fcc76949138f/analysis/; classtype:trojan-activity; sid:38454; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|76 48 18 89 FF E0 4F C1 CE 1A 41 33 DD 2B CB C1 C0 04 E8 A4 D8 FF FF C1 C1 13 89 0D 08 B6 43 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/7e3aae38e1a43dc043910d86412b5fbd7fb0ee1b027ec4d822dc50533624879c/analysis/; classtype:trojan-activity; sid:38453; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"Bewerbungsmappe-gepackt.exePK"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/019a6fda29af707476b2c58e5b6bbf306e8c248671c8f4dc7424e474018376a1/analysis/; classtype:trojan-activity; sid:38452; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|9B 75 F2 81 28 54 2A 88 A9 C0 48 C7 8B 67 D1 33 BF B2 C1 E6 0C 39 B1 51 D8 35 F8 4E 24 E9 75 37|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf/analysis/; classtype:trojan-activity; sid:38451; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|C1 CE 11 03 F0 89 3D 60 75 49 00 C1 C6 05 40 81 EE 53 17 DB F6 C1 CA 1B 46 C1 C1 01 4E F7 D3 81|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c/analysis/; classtype:trojan-activity; sid:38450; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|81 F6 FE AE 8E 27 81 F6 FE AE 8E 27 49 87 D7 33 F9 87 D6 2B C1 81 C6 84 F0 65 D1 C1 C2 12 2B F0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/50d27af49a2e50baa47f13c59625fa0a29938253f1f46e6ffb2aacbc2dc196d1/analysis/; classtype:trojan-activity; sid:38449; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_server,established; file_data; content:"|C1 CF 19 C1 C7 19 33 D5 C1 C8 08 81 C2 2D A8 5D 00 46 F7 D3 03 F0 F7 DF 4A 2B D5 C1 C1 09 81 F6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/E99eccfc1473800ea6e2e730e733c213f18e817c0c6501209f4ee40408f94951/analysis/; classtype:trojan-activity; sid:38448; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"Bewerbungsunterlagen.PDF.exePK"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/37112f3d0def0006ca1445799547a2b501a0b7b6939bba304863fcc76949138f/analysis/; classtype:trojan-activity; sid:38447; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"BewerbungsmappePDF.exePK"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/7e3aae38e1a43dc043910d86412b5fbd7fb0ee1b027ec4d822dc50533624879c/analysis/; classtype:trojan-activity; sid:38446; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|76 48 18 89 FF E0 4F C1 CE 1A 41 33 DD 2B CB C1 C0 04 E8 A4 D8 FF FF C1 C1 13 89 0D 08 B6 43 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/019a6fda29af707476b2c58e5b6bbf306e8c248671c8f4dc7424e474018376a1/analysis/; classtype:trojan-activity; sid:38445; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|9B 75 F2 81 28 54 2A 88 A9 C0 48 C7 8B 67 D1 33 BF B2 C1 E6 0C 39 B1 51 D8 35 F8 4E 24 E9 75 37|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c0773d859a8ae2bbf/analysis/; classtype:trojan-activity; sid:38444; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|C1 CE 11 03 F0 89 3D 60 75 49 00 C1 C6 05 40 81 EE 53 17 DB F6 C1 CA 1B 46 C1 C1 01 4E F7 D3 81|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/4c1dc737915d76b7ce579abddaba74ead6fdb5b519a1ea45308b8c49b950655c/analysis/; classtype:trojan-activity; sid:38443; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|C1 CF 19 C1 C7 19 33 D5 C1 C8 08 81 C2 2D A8 5D 00 46 F7 D3 03 F0 F7 DF 4A 2B D5 C1 C1 09 81 F6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/50d27af49a2e50baa47f13c59625fa0a29938253f1f46e6ffb2aacbc2dc196d1/analysis/; classtype:trojan-activity; sid:38442; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Petya variant download attempt"; flow:to_client,established; file_data; content:"|81 F6 FE AE 8E 27 81 F6 FE AE 8E 27 49 87 D7 33 F9 87 D6 2B C1 81 C6 84 F0 65 D1 C1 C2 12 2B F0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/E99eccfc1473800ea6e2e730e733c213f18e817c0c6501209f4ee40408f94951/analysis/; classtype:trojan-activity; sid:38441; rev:2;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|5C 00|s|00|q|00|l|00|s|00|r|00|v|00|t|00|m|00|g|00|1|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:impact_flag red, service netbios-ssn; classtype:trojan-activity; sid:38502; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"MALWARE-OTHER samsam samsam.exe file load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|5C 00|s|00|a|00|m|00|s|00|a|00|m|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:impact_flag red, service netbios-ssn; classtype:trojan-activity; sid:38501; rev:1;)
# alert tcp $HOME_NET any -> $HOME_NET [139,445] (msg:"MALWARE-OTHER samsam delfiletype.exe file load attempt"; flow:to_server,established; content:"|FF|SMB|A2 00 00 00 00|"; content:"|5C 00|d|00|e|00|l|00|f|00|i|00|l|00|e|00|t|00|y|00|p|00|e|00|.|00|e|00|x|00|e|00 00 00|"; fast_pattern:only; metadata:impact_flag red, service netbios-ssn; classtype:trojan-activity; sid:38500; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER samsam sqlsrvtmg1.exe file load attempt"; flow:to_server,established; content:"|2F|sqlsrvtmg1.exe"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; sid:38499; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER samsam samsam.exe file load attempt"; flow:to_server,established; content:"|2F|samsam.exe"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; sid:38498; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER samsam delfiletype.exe file load attempt"; flow:to_server,established; content:"|2F|delfiletype.exe"; nocase; http_uri; metadata:impact_flag red, service http; classtype:trojan-activity; sid:38497; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER XBot CC Social Engineering"; flow:to_server,established; content:"Referer: http://melon25.ru/gp/gp_ru.html"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/; classtype:trojan-activity; sid:38529; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Troll dropper document file detected"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"HYPERLINK |22|https|3A|//support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/intelligence/search/?query=morelikestoday.com%2Foffice.exe; classtype:trojan-activity; sid:38526; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Troll dropper document file detected"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"HYPERLINK |22|https|3A|//support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/intelligence/search/?query=morelikestoday.com%2Foffice.exe; classtype:trojan-activity; sid:38525; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|F6 0C 4E A3 B5 1E 76 42 26 4A AC CE C5 02 40 00 A8 38 61 78 B8 D8 19 00 33 36 98 3A 94 EE 7A 81 03 22 BA 09|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/10c73a405d2fb8c5b13854f736c394e5e155709993228c7f56a43ea92c9ac463/analysis/; classtype:trojan-activity; sid:38665; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|CA 76 0B DC E7 16 56 1F A0 C9 16 F7 BB BD 6F 3E 10 06 C7 47 20 06 A7 C9 42 57 52 F8 1E A9 BA D0 2E 07 00 6C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/a5816c5d456f9e4b952caca6b45be0717f4c66bbd8ebc1e61ebc45e723ad8dfd/analysis/; classtype:trojan-activity; sid:38664; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|9C 85 A5 F6 F7 C5 5F 0F 89 6C 0A F7 D9 83 D3 3C 14 15 D0 2B A3 08 68 40 42 9F 10 F7 23 E0 D9 B8 F4 29 D8 D3|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/316d9e2cc232e8baa8c533468919c11a41f09772419eb517d4e0599edc5251bf/analysis/; classtype:trojan-activity; sid:38663; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|8D 85 D0 FE FF FF 89 44 24 08 C7 44 24 04 64 40 40 00 C7 04 24 00 00 00 00 E8 9C 08 00 00 83 EC 18 FF 45 F4|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/179eeacbd6e860b59d35312f5a9e72e1a5cd9cb147aaf482514d681a8bc7d16b/analysis/; classtype:trojan-activity; sid:38662; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|8B 45 0C C7 44 24 04 64 70 42 00 89 04 24 E8 B8 46 02 00 C7 44 24 04 12 27 00 00 89 1C 24 89 C6 8B 45 08 89|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/78db0d5c2752770814b17925239914e9075b5950b1ec2ce8415bfb46769b1028/analysis/; classtype:trojan-activity; sid:38661; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|82 1C 82 41 3B 14 6C 03 05 2C 11 B9 F4 B6 59 F0 88 44 EE FD 6A AC F1 7D 2E 16 8B 69 70 16 96 2A ED 1C E1 16|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/32363684303ff69b7049a86253895a5184a98c247b0919e03b33d87241111fe6/analysis/; classtype:trojan-activity; sid:38660; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|24 68 0B 1C 82 E6 AC 94 69 A6 04 E0 69 D5 56 E0 0A 4E 0C B5 85 0C 88 57 4C 8B BC 04 07 7B 58 3F 15 2C AB 95|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/1c797967d2948ccb92cc7e939b80f18e1cb8dab35418ac51348e3fd1825a3696/analysis/; classtype:trojan-activity; sid:38659; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_server,established; file_data; content:"|22 E5 8E 5B E9 10 DB C2 74 3C 39 10 F8 D0 62 86 1F 0C 8E 1D 87 33 BC A7 84 24 54 5A F5 E2 10 23 B3 7E 48 28|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/373f91994b684b056f77958b40155cf34b1f24b401831d7a1dd53b2e6ba92ce9/analysis/; classtype:trojan-activity; sid:38658; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|F6 0C 4E A3 B5 1E 76 42 26 4A AC CE C5 02 40 00 A8 38 61 78 B8 D8 19 00 33 36 98 3A 94 EE 7A 81 03 22 BA 09|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/10c73a405d2fb8c5b13854f736c394e5e155709993228c7f56a43ea92c9ac463/analysis/; classtype:trojan-activity; sid:38657; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|CA 76 0B DC E7 16 56 1F A0 C9 16 F7 BB BD 6F 3E 10 06 C7 47 20 06 A7 C9 42 57 52 F8 1E A9 BA D0 2E 07 00 6C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/a5816c5d456f9e4b952caca6b45be0717f4c66bbd8ebc1e61ebc45e723ad8dfd/analysis/; classtype:trojan-activity; sid:38656; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|9C 85 A5 F6 F7 C5 5F 0F 89 6C 0A F7 D9 83 D3 3C 14 15 D0 2B A3 08 68 40 42 9F 10 F7 23 E0 D9 B8 F4 29 D8 D3|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/316d9e2cc232e8baa8c533468919c11a41f09772419eb517d4e0599edc5251bf/analysis/; classtype:trojan-activity; sid:38655; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|8D 85 D0 FE FF FF 89 44 24 08 C7 44 24 04 64 40 40 00 C7 04 24 00 00 00 00 E8 9C 08 00 00 83 EC 18 FF 45 F4|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/179eeacbd6e860b59d35312f5a9e72e1a5cd9cb147aaf482514d681a8bc7d16b/analysis/; classtype:trojan-activity; sid:38654; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|8B 45 0C C7 44 24 04 64 70 42 00 89 04 24 E8 B8 46 02 00 C7 44 24 04 12 27 00 00 89 1C 24 89 C6 8B 45 08 89|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/78db0d5c2752770814b17925239914e9075b5950b1ec2ce8415bfb46769b1028/analysis/; classtype:trojan-activity; sid:38653; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|82 1C 82 41 3B 14 6C 03 05 2C 11 B9 F4 B6 59 F0 88 44 EE FD 6A AC F1 7D 2E 16 8B 69 70 16 96 2A ED 1C E1 16|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/32363684303ff69b7049a86253895a5184a98c247b0919e03b33d87241111fe6/analysis/; classtype:trojan-activity; sid:38652; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|24 68 0B 1C 82 E6 AC 94 69 A6 04 E0 69 D5 56 E0 0A 4E 0C B5 85 0C 88 57 4C 8B BC 04 07 7B 58 3F 15 2C AB 95|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/1c797967d2948ccb92cc7e939b80f18e1cb8dab35418ac51348e3fd1825a3696/analysis/; classtype:trojan-activity; sid:38651; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PWOBot variant download attempt"; flow:to_client,established; file_data; content:"|22 E5 8E 5B E9 10 DB C2 74 3C 39 10 F8 D0 62 86 1F 0C 8E 1D 87 33 BC A7 84 24 54 5A F5 E2 10 23 B3 7E 48 28|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/373f91994b684b056f77958b40155cf34b1f24b401831d7a1dd53b2e6ba92ce9/analysis/; classtype:trojan-activity; sid:38650; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_server,established; file_data; content:"|56 E8 C7 02 00 00 C1 F8 05 56 8D 3C 85 00 34 43 00 E8 B7 02 00 00 83 E0 1F 59 C1 E0 06 03 07 59 EB 05 B8 D0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/61a12cf8f95e38e26f3f24c96ebf8d3a1c5e363f692aea6cc3297005c982fa2c/analysis/; classtype:trojan-activity; sid:38893; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Maktub variant download attempt"; flow:to_client,established; file_data; content:"|56 E8 C7 02 00 00 C1 F8 05 56 8D 3C 85 00 34 43 00 E8 B7 02 00 00 83 E0 1F 59 C1 E0 06 03 07 59 EB 05 B8 D0|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/61a12cf8f95e38e26f3f24c96ebf8d3a1c5e363f692aea6cc3297005c982fa2c/analysis/; classtype:trojan-activity; sid:38892; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Flopex outbound communication attempt"; flow:to_server,established; content:"/vip_asshole/"; http_uri; content:".zip"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/535E4DC11B4F0FAF749957423CDACEE56EA6AF9357446ED6BFFB22C76CCD2FD2/analysis/; classtype:trojan-activity; sid:39357; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Lamer outbound communication attempt"; flow:to_server,established; content:"/kills.txt"; fast_pattern:only; http_uri; urilen:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/F9FE186D004EC0230DE6046FF2DBDEB7E0258F5238B8F66691E80239BDDE4DE1/analysis/; classtype:trojan-activity; sid:39356; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Ranscam initial download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"RiRJLCalUypXCLPRiRJLCalUypXCLPERJuNBYECvZYdYUERJuNBYECvZYdYU"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/9541fadfa0c779bcbae5f2567f7b163db9384b7ff6d44f525fea3bb2322534de/analysis/; classtype:trojan-activity; sid:39637; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER MKVIS outbound communication attempt"; flow:to_server,established; content:"/panel/insert"; fast_pattern:only; http_uri; urilen:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39713; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Xtrat outbound connection detected"; flow:to_server,established; content:"/plugin.xtr"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,virustotal.com/en/file/E7153E30727FD7BEFD7BE78CC3CB0F7D552B26E550BAB46D0CA91D363E09FDD3/analysis/; classtype:trojan-activity; sid:39734; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Alfa download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"uVUcRZwMC8MDb1ozfB9"; fast_pattern:only; content:"K4WbE6jpTMBSY79c5M1"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/606a9e10404805fd67180adf9bbbf43e74f9c4784ad2d41d825c4e64bfccba85/analysis/; classtype:trojan-activity; sid:39769; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Alfa download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"uVUcRZwMC8MDb1ozfB9"; fast_pattern:only; content:"K4WbE6jpTMBSY79c5M1"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/606a9e10404805fd67180adf9bbbf43e74f9c4784ad2d41d825c4e64bfccba85/analysis/; classtype:trojan-activity; sid:39768; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Downloader.Ogimant outbound connection detected"; flow:to_server,established; content:"/data_get_params"; fast_pattern:only; nocase; http_uri; content:"files="; nocase; http_uri; content:"name="; nocase; http_uri; content:"rnd="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/7A836A89AFE265CBD8D09656B7B6A70967667BDC9A0594BBAD29E78BADF8E590/analysis/; classtype:trojan-activity; sid:39766; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page"; flow:to_server,established; file_data; content:"icanhazip.com"; fast_pattern:only; content:"powershell"; nocase; content:"-Exec"; within:35; nocase; content:"Sleep"; nocase; content:"taskkill"; within:35; nocase; content:"iexplore"; within:35; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/0CF2C0165CDC3962AD8C3AC27258FDAB4DCECB7121BA97856B66D22FD77AEFCA/analysis/; classtype:trojan-activity; sid:39756; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Retefe variant malicious certificate installation page"; flow:to_client,established; file_data; content:"icanhazip.com"; fast_pattern:only; content:"powershell"; nocase; content:"-Exec"; within:35; nocase; content:"Sleep"; nocase; content:"taskkill"; within:35; nocase; content:"iexplore"; within:35; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/0CF2C0165CDC3962AD8C3AC27258FDAB4DCECB7121BA97856B66D22FD77AEFCA/analysis/; classtype:trojan-activity; sid:39755; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Apocalypse download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|8A 0D 40 30 40 00 8A D0 80 EA 4B 32 D0 8A D8 02 DB 02 D3 02 D1 80 C2 2D 30 14 28 40 3B C7 72 E6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/aab148f9445f8ea69a6992a245037919b96c7b6457d35732f4171e371359aee5/analysis/; classtype:trojan-activity; sid:39747; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Apocalypse download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|8A 0D 40 30 40 00 8A D0 80 EA 4B 32 D0 8A D8 02 DB 02 D3 02 D1 80 C2 2D 30 14 28 40 3B C7 72 E6|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/aab148f9445f8ea69a6992a245037919b96c7b6457d35732f4171e371359aee5/analysis/; classtype:trojan-activity; sid:39746; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.FakeRean outbound connection detection"; flow:to_server,established; content:"/httpss/ldr123.php?"; fast_pattern:only; http_uri; content:"v="; nocase; http_uri; content:"step="; nocase; http_uri; content:"hostid="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/E60BD65D7AC152B595C3ABCC15BB5E0F63FA21B696F51C339B4AF1739B1CDCB6/analysis/; classtype:trojan-activity; sid:39745; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected"; flow:to_server,established; content:"/api_v2/json/send/executereport"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3215E4CD183D9C35BACFF1791F67B89E83D7FA03E937D64BCC909D8E339B6DEB/analysis/; classtype:trojan-activity; sid:39806; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected"; flow:to_server,established; content:"/api_v2/json/send/analyticsreport"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3215E4CD183D9C35BACFF1791F67B89E83D7FA03E937D64BCC909D8E339B6DEB/analysis/; classtype:trojan-activity; sid:39805; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected"; flow:to_server,established; content:"/api_v2/json/send/errorreport"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3215E4CD183D9C35BACFF1791F67B89E83D7FA03E937D64BCC909D8E339B6DEB/analysis/; classtype:trojan-activity; sid:39804; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Adware.Dlhelper outbound connection detected"; flow:to_server,established; content:"/api_v2/"; nocase; http_uri; content:"/get/initialization"; within:30; http_uri; content:"data="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/3215E4CD183D9C35BACFF1791F67B89E83D7FA03E937D64BCC909D8E339B6DEB/analysis/; classtype:trojan-activity; sid:39803; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-OTHER Win.Trojan.CrypMIC outbound connection detected"; flow:to_server,established; content:"|00|BOTIDB"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,virustotal.com/en/file/fdbe8ae58b15a3d35edfa09cb46d0a5ec7b5836e59dad926244d410b7eccac44/analysis/; classtype:trojan-activity; sid:39830; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Lethic outbound connection detected"; flow:to_server,established; content:"/ip/header"; fast_pattern:only; http_uri; content:"id_ip="; nocase; http_uri; content:"id_provider="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/707B2ED8F4B6183E61FBD5057FB769E1623B08602DA70210E9AE65C32D8113C3/analysis/; classtype:trojan-activity; sid:39807; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; content:"2e65786500"; nocase; content:"004d5a"; within:6; distance:6; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/a9cafe63c7530e0ad5adba507e6406221c8971f6d93ec711d577605ec394f124/analysis/; classtype:trojan-activity; sid:39907; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; content:"2e65786500"; nocase; content:"004d5a"; within:6; distance:6; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/a9cafe63c7530e0ad5adba507e6406221c8971f6d93ec711d577605ec394f124/analysis/; classtype:trojan-activity; sid:39906; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-OTHER Rtf.Dropper.Agent-1404614 SMTP upload attempt"; flow:to_server,established; flowbits:isset,file.rtf.embed; file_data; content:"2e65786500"; nocase; content:"004d5a"; within:6; distance:6; metadata:impact_flag red, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/a9cafe63c7530e0ad5adba507e6406221c8971f6d93ec711d577605ec394f124/analysis/; classtype:trojan-activity; sid:39905; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Rtf.Dropper.Agent-1404614 download attempt"; flow:to_client,established; flowbits:isset,file.rtf.embed; file_data; content:"2e65786500"; nocase; content:"004d5a"; within:6; distance:6; metadata:impact_flag red, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/a9cafe63c7530e0ad5adba507e6406221c8971f6d93ec711d577605ec394f124/analysis/; classtype:trojan-activity; sid:39904; rev:1;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER pisloader DNS sinfo command response attempt"; flow:to_server; content:"|81 80|"; offset:2; content:"|01|"; distance:1; content:"|01|"; distance:2; content:"|08|"; content:"ONUWM3Y"; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39929; rev:1;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER pisloader DNS open command response attempt"; flow:to_server; content:"|81 80|"; offset:2; content:"|01|"; distance:1; content:"|01|"; distance:2; content:"|08|"; content:"N5YGK3Q"; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39928; rev:1;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER pisloader DNS list command response attempt"; flow:to_server; content:"|81 80|"; offset:2; content:"|01|"; offset:1; content:"|01|"; distance:2; content:"|08|"; content:"NRUXG5A"; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39927; rev:1;)
alert udp $HOME_NET 53 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER pisloader DNS drive command response attempt"; flow:to_server; content:"|81 80|"; offset:2; content:"|01|"; distance:1; content:"|01|"; distance:2; content:"|09|"; content:"MRZGS5TF"; distance:1; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service dns; reference:url,www.virustotal.com/en/domain/ns1.logitech-usa.com/information/; classtype:trojan-activity; sid:39926; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Andr.Trojan.KungFu variant download"; flow:to_server,established; file_data; content:"|FB 97 A0 BB EF C1 3F 84 F4 AE C0 B9 90 E7 7B E8 FD 13 D8 F3 2D B0 83 C5 B0 AF 7C B4 3B 00 1F D6 0E F0 16 DA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/6c4aebf5043ea6129122ebf482366c9f7cb5fbe02e2bb776345d32d89b77a2e0/analysis/; classtype:trojan-activity; sid:39975; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Andr.Trojan.KungFu variant download"; flow:to_client,established; file_data; content:"|FB 97 A0 BB EF C1 3F 84 F4 AE C0 B9 90 E7 7B E8 FD 13 D8 F3 2D B0 83 C5 B0 AF 7C B4 3B 00 1F D6 0E F0 16 DA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/6c4aebf5043ea6129122ebf482366c9f7cb5fbe02e2bb776345d32d89b77a2e0/analysis/; classtype:trojan-activity; sid:39974; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"function contains(healing, reproduce) {"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40057; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"function contains(healing, reproduce) {"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40056; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"function ProcessFolder(chickaPath)"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40055; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript"; fast_pattern; content:"Quit"; within:25; content:"Windows_NT"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40054; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript"; fast_pattern; content:"Quit"; within:25; content:"'+'"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40053; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"function ProcessFolder(chickaPath)"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40052; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript"; fast_pattern; content:"Quit"; within:25; content:"Windows_NT"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40051; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript"; fast_pattern; content:"Quit"; within:25; content:"'+'"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40050; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"String.prototype."; fast_pattern; content:"= function () { return this.substr(0, 1)|3B| }|3B|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40202; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"String.prototype."; fast_pattern; content:"= function () { return this.substr(0, 1)|3B| }|3B|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40201; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript.Echo"; fast_pattern:only; content:"|3B|}()) + (function"; content:"(){return"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40200; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript.Echo"; fast_pattern:only; content:"|3B|}()) + (function"; content:"(){return"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40199; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript.CreateObject"; fast_pattern:only; content:"typeof WScript.StdErr"; content:"|22| + |22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40198; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript.CreateObject"; fast_pattern:only; content:"typeof WScript.StdErr"; content:"|22| + |22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40197; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"WScript.Quit"; fast_pattern:only; content:"|22|+|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40196; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"WScript.Quit"; fast_pattern:only; content:"|22|+|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40195; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"String.fromCharCode"; fast_pattern:only; content:"this.x ="; content:"this.y ="; content:"this.selectedFrame = 0|3B|"; content:"this.getNew(index)|3B|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40194; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"String.fromCharCode"; fast_pattern:only; content:"this.x ="; content:"this.y ="; content:"this.selectedFrame = 0|3B|"; content:"this.getNew(index)|3B|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40193; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_server,established; file_data; content:"CreateObject"; fast_pattern:only; content:"system32"; content:"|22|+|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40192; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Swabfex download attempt"; flow:to_client,established; file_data; content:"CreateObject"; fast_pattern:only; content:"system32"; content:"|22|+|22|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0DF6CC6D1A8CB0CC3B4BBCC38425A839B577AE1F962335C52A2F50EFB1B76FCE/analysis/; classtype:trojan-activity; sid:40191; rev:1;)
# alert tcp $EXTERNAL_NET [80,65520] -> $HOME_NET any (msg:"MALWARE-OTHER Virut CnC command reply"; flow:to_client,established; content:":Hi virtu|0A|:irc"; fast_pattern:only; content:":End of /MOTD command."; metadata:impact_flag red, policy security-ips drop; reference:url,virustotal.com/en/file/56c0e8231989deb494559ac4e5589c504c31b9137f05ca8c75ffcb8cbef7b58d/analysis/; classtype:trojan-activity; sid:40871; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_server,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40913; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Flokibot variant download attempt"; flow:to_client,established; file_data; content:"Hash: 0x%x not loaded."; fast_pattern:only; content:"|00|B|00|O|00|T|00|3|00|2|00|"; nocase; content:"|00|K|00|E|00|Y|00|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/0aa1f07a2ebcdd42896d3d8fdb5e9a9fef0f4f894d2501b9cbbe4cbad673ec03/analysis/; classtype:trojan-activity; sid:40912; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Dos.Tool.LOIC TCP default U dun goofed attack"; flow:established,to_server; content:"U dun goofed"; fast_pattern:only; content:"U dun goofed"; depth:12; content:"U dun goofed"; content:"U dun goofed"; reference:url,attack.mitre.org/techniques/T1078; reference:url,sourceforge.net/projects/loic/; classtype:attempted-dos; sid:41440; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"-window hidden -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e/analysis/; classtype:trojan-activity; sid:41659; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.MagicHound dropper document file detected"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"-window hidden -e cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABl"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/33ee8a57e142e752a9c8960c4f38b5d3ff82bf17ec060e4114f5b15d22aa902e/analysis/; classtype:trojan-activity; sid:41658; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER VBScript potential executable write attempt"; flow:to_client,established; file_data; content:"CreateObject"; content:"Scripting.FileSystemObject"; within:50; fast_pattern; content:"CreateObject"; content:"WScript.Shell"; within:40; content:"</script"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/ecfb852662d8127673332939f8b062645797e91bce6acae0615e24334a3df2ad/analysis/; classtype:trojan-activity; sid:41660; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.Carp variant download attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"V1NjcmlwdC5TaGVsbA=="; content:"TWljcm9zb2Z0LlhNTERPTQ=="; content:"YmluLmJhc2U2NA=="; content:"QURPREIuU3RyZWFt"; content:"JUFQUERBVEEl"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f/analysis/; classtype:trojan-activity; sid:42825; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.Carp variant download attempt"; flow:to_server,established; flowbits:isset,file.xls; file_data; content:"WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT0"; fast_pattern:only; content:"TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ=="; content:"TG1WNFpRPT0="; content:"TG1Oeg=="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f/analysis/; classtype:trojan-activity; sid:42824; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.Carp variant download attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"V1NjcmlwdC5TaGVsbA=="; content:"TWljcm9zb2Z0LlhNTERPTQ=="; content:"YmluLmJhc2U2NA=="; content:"QURPREIuU3RyZWFt"; content:"JUFQUERBVEEl"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f/analysis/; classtype:trojan-activity; sid:42823; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.Carp variant download attempt"; flow:to_client,established; flowbits:isset,file.xls; file_data; content:"WEUxcFkzSnZjMjltZEM1T1JWUmNSbkpoYldWM2IzSnJYSFkwTGpBdU16QXpNVGxjWTNOakxtVjRaUT0"; fast_pattern:only; content:"TDNSaGNtZGxkRHAzYVc1bGVHVWdMMjkxZERvaQ=="; content:"TG1WNFpRPT0="; content:"TG1Oeg=="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/10f53502922bf837900935892fb1da28fc712848471bf4afcdd08440d3bd037f/analysis/; classtype:trojan-activity; sid:42822; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.NemucodAES variant outbound connection"; flow:to_server,established; content:"/counter?000000"; depth:15; http_uri; content:!"Referer|3A|"; nocase; http_header; content:"Accept: */*"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/1acf051c4d42f6fc2105a489b945e68c57e93a76f562263e2fc6376384fa57e3/analysis/; classtype:trojan-activity; sid:43686; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Nemucod variant outbound connection"; flow:to_server,established; content:"Connection|3A| Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; http_header; urilen:<25; content:"="; depth:10; http_client_body; content:"%"; within:5; http_client_body; content:"%"; within:10; http_client_body; content:"%"; within:10; http_client_body; content:"%"; within:10; http_client_body; content:"%"; within:10; http_client_body; content:!"Cookie: "; http_header; content:"x-requested-with|3A| XMLHttpRequest"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/af211ceb9cb5d507ec76f481b346241acd8f1107718840459c6e60367e23a4cc/analysis/; classtype:trojan-activity; sid:43685; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Nemucod variant file download"; flow:to_server,established; content:"/counter/"; http_uri; content:".exe"; within:10; http_uri; content:!"Referer|3A|"; nocase; http_header; content:"Accept: */*"; nocase; http_header; content:"Connection|3A| Keep-Alive|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/634c006c5932617264afe7bd916c48d2f2e8043f8cbd513182f46c8f05985b6c/analysis/; classtype:trojan-activity; sid:43684; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-OTHER Win.Ransomware.Sorebrect download attempt"; flow:to_server,established; file_data; content:"|25 00 00 FF 00 81 F1 00 00 00 01 81 E1 00 00 00 FF 33 C8 8B C3 C1 E8 18 0F B6 04 85 68 1C 41 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76/analysis/; classtype:trojan-activity; sid:43443; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Sorebrect download attempt"; flow:to_client,established; file_data; content:"|25 00 00 FF 00 81 F1 00 00 00 01 81 E1 00 00 00 FF 33 C8 8B C3 C1 E8 18 0F B6 04 85 68 1C 41 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/4142ff4667f5b9986888bdcb2a727db6a767f78fe1d5d4ae3346365a1d70eb76/analysis/; classtype:trojan-activity; sid:43442; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan-Downloader.Jadtree GET request of RAR file to server"; flow:to_server, established; content:"/aa/zz.rar"; fast_pattern:only; http_uri; content:"User-Agent|3A| "; http_header; pcre:"/User-Agent\x3A\x20\d+?\x0D\x0A/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/2be5f5f01cb308f6bafdc8e7060124abc73de518e2539f2309f1e002f7c6836b/analysis/; classtype:trojan-activity; sid:43221; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Malware.Emotet variant lateral propagation"; flow:to_server,established; flowbits:isset,emotet.file_copy; content:"W|00|i|00|n|00|d|00|o|00|w|00|s|00 20 00|D|00|e|00|f|00|e|00|n|00|d|00|e|00|r|00 20 00|S|00|y|00|s|00|t|00|e|00|m|00 20 00|S|00|e|00|r|00|v|00|i|00|c|00|e|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/file/8d8b45aa8724458ea7711f13ee237bbd3e4c77669ebd91109b94620ecc52bc72/analysis/; classtype:trojan-activity; sid:43892; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Malware.Emotet variant lateral propagation"; flow:to_server,established; content:"|00|"; depth:1; content:"|FE|SMB@|00|"; within:6; distance:3; content:"|05 00|"; within:2; distance:6; content:"|39 00 00|"; within:3; distance:50; byte_extract:2,41,filename_offset,relative,little; content:"m|00|y|00|.|00|e|00|x|00|e|00 00|"; within:filename_offset; distance:-97; flowbits:set,emotet.file_copy; flowbits:noalert; metadata:impact_flag red, service netbios-ssn; reference:url,www.virustotal.com/file/8d8b45aa8724458ea7711f13ee237bbd3e4c77669ebd91109b94620ecc52bc72/analysis/; classtype:trojan-activity; sid:43891; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt"; flow:to_server,established; flowbits:isset,file.doc|file.docm; file_data; content:"OriginalDocumentID=|22|xmp.did:3398146C2C26E711A28FA3D548E093FD|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/583ddb480b42d04c7a8f960d950c7d52b46ed840354ae5cfa44d3c49e5239cab/detection; classtype:trojan-activity; sid:43976; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Hermit variant malicious dropper download attempt"; flow:to_client,established; flowbits:isset,file.doc|file.docm; file_data; content:"OriginalDocumentID=|22|xmp.did:3398146C2C26E711A28FA3D548E093FD|22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/583ddb480b42d04c7a8f960d950c7d52b46ed840354ae5cfa44d3c49e5239cab/detection; classtype:trojan-activity; sid:43975; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Nemucod file download"; flow:to_server,established; content:"/counter/?"; depth:10; fast_pattern; nocase; http_uri; content:"="; within:3; http_uri; content:"&"; distance:33; http_uri; content:"="; within:4; http_uri; content:!"Referer|3A|"; nocase; http_header; pcre:"/^\/counter\/\?[ai]d?\x3D/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/ba5f5f144f1d1dc555f7abef1b55a44d9bc815f51398a849145aadc7ee285411/analysis/; reference:url,www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/; classtype:trojan-activity; sid:44078; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-OTHER GHBkdr TLS Handshake spoof runtime detection"; flow:to_server,established; content:"|16 03 02 00 81 01 00 00 7D 03 02|"; content:"|00 00 18 C0 14 C0 13 00 39 00 33 00 35 00 2F C0 0A C0 09 00 38 00 32 00 0A 00 13 01 00 00 3C 00 00 00 16 00 14 00 00 11|www.microsoft.com|00 05 00 05 01 00 00 00 00 00 0A 00 06 00 04 00 17 00 18 00 0B 00 02 01 00 00 17 00 00 FF 01 00 01 00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1195; reference:url,blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html; classtype:trojan-activity; sid:44475; rev:2;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-OTHER GHBkdr TLS Change Cipher spoof runtime detection"; flow:to_server,established; content:"|14 03 02 00 01 01 16 03 02 00 40 9D 6D CF 97 6A A0 67 DE 89 7C D1 E4 E3 DB 85 84 BB DF 54 7D 86 D3 C6 C8 99 F6 05 BA 5B 41 DD 9E 9F E6 6E 49 38 9A 3D 50 DD 2E 9C 61 56 6E 4C 9F CF B9 57 EE 80 E8 57 77 F4 F2 47 11 B8 82 B0 D7|"; fast_pattern:only; rawbytes; metadata:impact_flag red, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1195; reference:url,blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html; classtype:trojan-activity; sid:44474; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|09 00|cscc.dat|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44650; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; content:"c|00|s|00|c|00|c|00|.|00|d|00|a|00|t"; nocase; content:!"|00 5C 00|"; within:3; distance:-18; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44649; rev:3;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB transfer attempt"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|0B 00|infpub.dat|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44648; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SMB2 transfer attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; content:"i|00|n|00|f|00|p|00|u|00|b|00|.|00|d|00|a|00|t"; nocase; content:!"|00 5C 00|"; within:3; distance:-22; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44647; rev:3;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.BadRabbit propagation via SVCCTL remote service attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|5C 00|r|00|u|00|n|00|d|00|l|00|l|00|3|00|2|00|.|00|e|00|x|00|e"; fast_pattern:only; content:"|5C 00|i|00|n|00|f|00|p|00|u|00|b|00|.|00|d|00|a|00|t"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service dcerpc; reference:url,attack.mitre.org/techniques/T1021; reference:url,attack.mitre.org/techniques/T1133; reference:url,attack.mitre.org/techniques/T1210; reference:url,www.virustotal.com/en/file/579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648/analysis/; classtype:trojan-activity; sid:44646; rev:4;)
alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt"; flow:to_client,established; content:"|FF|SMB"; depth:4; offset:4; content:"|32|"; within:1; content:"p|00|r|00|o|00|t|00|o|00|n|00|m|00|a|00|i|00|l|00 2E 00|c|00|h|00 2E 00|c|00|r|00|y|00|p|00|t|00|1|00|2|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/#/file/2980f3d4b10436aeec95f5b96e52ac1248be6649d7cfa26bade4203fe1de88c7/detection; classtype:trojan-activity; sid:44982; rev:1;)
alert tcp $HOME_NET [139,445] -> $EXTERNAL_NET any (msg:"MALWARE-OTHER Win.Ransomware.Kristina encryption over SMB attempt"; flow:to_client,established; content:"|FE|SMB"; depth:4; offset:4; content:"|0E 00|"; within:2; distance:8; content:"p|00|r|00|o|00|t|00|o|00|n|00|m|00|a|00|i|00|l|00 2E 00|c|00|h|00 2E 00|c|00|r|00|y|00|p|00|t|00|1|00|2|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/#/file/2980f3d4b10436aeec95f5b96e52ac1248be6649d7cfa26bade4203fe1de88c7/detection; classtype:trojan-activity; sid:44981; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Samsam upload attempt"; flow:to_server,established; content:"|00 00 0A 2C 08 06 16 9A 28|"; content:"|00 00 0A 02 16 9A 28 03 00 00 06 28|"; within:12; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab/analysis/; classtype:trojan-activity; sid:45486; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB2 transfer attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; byte_jump:4,98,relative,little,from_beginning; content:".|00|s|00|t|00|u|00|b|00|b|00|i|00|n|00|"; within:16; distance:-18; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab/analysis/; classtype:trojan-activity; sid:45485; rev:2;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Samsam propagation via SMB transfer attempt"; flow:to_server,established; content:"|FF|SMB|A2|"; depth:5; offset:4; content:".stubbin|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/en/file/8eabfa74d88e439cfca9ccabd0ee34422892d8e58331a63bea94a7c4140cf7ab/analysis/; classtype:trojan-activity; sid:45484; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Ursnif variant download attempt"; flow:to_server,established; content:"/_private/php3.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/fb58d736c09fe1f05a36c2fe2c0ce3cfe03ece885ba8272000355e35600aef17/analysis/; classtype:trojan-activity; sid:45565; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt"; flow:to_server; flowbits:isset,file.exe; file_data; content:"Release|5C|Thanatos.pdb"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9; classtype:trojan-activity; sid:45818; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Thanatos ransomware inbound download attempt"; flow:to_client; flowbits:isset,file.exe; file_data; content:"Release|5C|Thanatos.pdb"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/fe1eafb8e31a84c14ad5638d5fd15ab18505efe4f1becaa36eb0c1d75cd1d5a9; classtype:trojan-activity; sid:45817; rev:1;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER VBscript downloader detected"; flow:to_server,established; file_data; content:"CreateObject("; fast_pattern; content:"WScri"; within:10; content:"Shell"; within:20; content:"Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B|"; nocase; content:"XMLHTTP"; nocase; content:"Adodb.streaM"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/22F04BD5408320E4F309AAECB0CAFB26A5740A66F50CF0356A1EDA46B77064E2/detection; classtype:trojan-activity; sid:46092; rev:1;)
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER VBscript downloader detected"; flow:to_client,established; file_data; content:"CreateObject("; fast_pattern; content:"WScri"; within:10; content:"Shell"; within:20; content:"Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B|"; nocase; content:"XMLHTTP"; nocase; content:"Adodb.streaM"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/22F04BD5408320E4F309AAECB0CAFB26A5740A66F50CF0356A1EDA46B77064E2/detection; classtype:trojan-activity; sid:46091; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.SynAck download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|6A 01 8B 44 24 30 33 44 24 38 50 48 8D 05|"; content:"|48 2D|"; within:2; distance:4; content:"|FF D0 50|"; within:3; distance:4; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/7b53a00b3a8859755f6144cb2149673fa17fdd6e439cbfdee21a7a513e6395b2/; classtype:trojan-activity; sid:46752; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.SynAck download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|6A 01 8B 44 24 30 33 44 24 38 50 48 8D 05|"; content:"|48 2D|"; within:2; distance:4; content:"|FF D0 50|"; within:3; distance:4; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/7b53a00b3a8859755f6144cb2149673fa17fdd6e439cbfdee21a7a513e6395b2/; classtype:trojan-activity; sid:46751; rev:1;)
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|toknowall|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/domain/toknowall.com/information/; classtype:trojan-activity; sid:46807; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Ransomware.Satan payload download"; flow:to_server,established; content:"/cab/sts.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46819; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER GPON exploit download attempt"; flow:established,to_server; file_data; content:"/GponForm/diag_Form?images/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:cve,2018-10561; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:trojan-activity; sid:46841; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER GPON exploit download attempt"; flow:to_client,established; file_data; content:"/GponForm/diag_Form?images/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:cve,2018-10561; reference:url,vpnmentor.com/blog/critical-vulnerability-gpon-router/; classtype:trojan-activity; sid:46840; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.MBRLock file download"; flow:to_server,established; file_data; content:"woshixiaoxuesheng"; fast_pattern; content:"taskkill"; distance:-150; nocase; content:"password"; within:150; nocase; content:"PhysicalDrive"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38/analysis/; classtype:trojan-activity; sid:46989; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.MBRLock file download"; flow:to_client,established; file_data; content:"woshixiaoxuesheng"; fast_pattern; content:"taskkill"; distance:-150; nocase; content:"password"; within:150; nocase; content:"PhysicalDrive"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38/analysis/; classtype:trojan-activity; sid:46988; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Annabelle file download"; flow:to_server,established; file_data; content:"PhysicalDrive"; fast_pattern:only; content:"|6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 10|"; content:"|6A 00 8D 45 EC 50 68 00 80 00 00 8D 85 E4|"; within:50; content:"taskkill"; content:"shutdown"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/7a243bcbff4309eafd287ecc124606171724da76fc3c1896002e5f7392b13df3/analysis/; classtype:trojan-activity; sid:46987; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Annabelle file download"; flow:to_client,established; file_data; content:"PhysicalDrive"; fast_pattern:only; content:"|6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 10|"; content:"|6A 00 8D 45 EC 50 68 00 80 00 00 8D 85 E4|"; within:50; content:"taskkill"; content:"shutdown"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/7a243bcbff4309eafd287ecc124606171724da76fc3c1896002e5f7392b13df3/analysis/; classtype:trojan-activity; sid:46986; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Portable Executable containing CoinHive download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"coinhive.min.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:47021; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Portable Executable containing CoinHive download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"coinhive.min.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,coinhive.com/documentation/miner; classtype:policy-violation; sid:47020; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HTA script hidden window execution attempt"; flow:to_client,established; file_data; content:"window.moveTo"; nocase; content:"-"; within:5; content:"window.resizeTo"; within:400; distance:-200; nocase; byte_test:8,<,1,1,relative,string,dec; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/240b7d2825183226af634d3801713b0e0f409eb3e1e48e1d36c96d2b03d8836b/analysis/; classtype:trojan-activity; sid:47077; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script"; flow:to_client,established; file_data; content:"chmod +x /tmp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47873; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script"; flow:to_server,established; file_data; content:"chmod +x /tmp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47872; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script"; flow:to_client,established; file_data; content:"chmod 777 /tmp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47871; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Unix.Miner.Xbash variant dropped bash script"; flow:to_server,established; file_data; content:"chmod 777 /tmp"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47870; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAA"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47869; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Img.Trojan.Xbash variant PNG file with an embedded Windows executable"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAA"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/d7fbd2a4db44d86b4cf5fa4202203dacfefd6ffca6a0615dca5bc2a200ad56b6/detection; classtype:trojan-activity; sid:47868; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation"; flow:to_server,established; file_data; content:"|5C|x70|5C|x6F|5C|x77|5C|x65|5C|x72|5C|x73|5C|x68|5C|x65|5C|x6C|5C|x6C|5C|x2E|5C|x65|5C|x78|5C|x65|5C|x20|5C|x2D|5C|x65|5C|x78|5C|x65|5C|x63|5C|x75|5C|x74|5C|x69|5C|x6F|5C|x6E|5C|x70|5C|x6F|5C|x6C|5C|x69|5C|x63|5C|x79|5C|x20|5C|x62|5C|x79|5C|x70|5C|x61|5C|x73|5C|x73"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,www.virustotal.com/#/file/f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8/detection; classtype:trojan-activity; sid:47867; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Html.Dropper.Xbash variant obfuscated powershell invocation"; flow:to_client,established; file_data; content:"|5C|x70|5C|x6F|5C|x77|5C|x65|5C|x72|5C|x73|5C|x68|5C|x65|5C|x6C|5C|x6C|5C|x2E|5C|x65|5C|x78|5C|x65|5C|x20|5C|x2D|5C|x65|5C|x78|5C|x65|5C|x63|5C|x75|5C|x74|5C|x69|5C|x6F|5C|x6E|5C|x70|5C|x6F|5C|x6C|5C|x69|5C|x63|5C|x79|5C|x20|5C|x62|5C|x79|5C|x70|5C|x61|5C|x73|5C|x73"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,www.virustotal.com/#/file/f888dda9ca1876eba12ffb55a7a993bd1f5a622a30045a675da4955ede3e4cb8/detection; classtype:trojan-activity; sid:47866; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_server,established; file_data; content:"cmd|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?cmd\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47849; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_client,established; file_data; content:"msiexec|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?msiexec\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47848; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_server,established; file_data; content:"powershell|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?powershell\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47847; rev:2;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_client,established; file_data; content:"powershell|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?powershell\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47846; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_server,established; file_data; content:"msiexec|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?msiexec\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47845; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Downloader.DDECmdExec variant download"; flow:to_client,established; file_data; content:"cmd|7C 27|"; nocase; content:"|27 21|"; within:250; pcre:"/[=+-@](\w+\x28)?cmd\x7C\x27[^\x27]+\x27\x21\w+/i"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/wiki/Technique/T1173; classtype:trojan-activity; sid:47844; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Gorgon attempted download"; flow:to_server,established; file_data; content:"iuuq|3B|00"; content:"/fyf"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/eab34ac788bdb79377219faecd80f27d45981bc6ab203b868303aea1d278548c/detection; classtype:trojan-activity; sid:47454; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Gorgon attempted download"; flow:to_client,established; file_data; content:"iuuq|3B|00"; content:"/fyf"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/eab34ac788bdb79377219faecd80f27d45981bc6ab203b868303aea1d278548c/detection; classtype:trojan-activity; sid:47453; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Unix.Trojan.Agent variant download attempt"; flow:to_server,established; file_data; content:"|48 8B 45 E0 48 83 C0 3E 48 89 C7 E8|"; fast_pattern:only; content:"|89 D6 89 C7 E8|"; content:"|89 45 F8 83 7D F8 00|"; within:15; content:"|8B 45 F8 89 C7 E8|"; within:20; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/EBFFD115918F6D181DA6D8F5592DFFB3E4F08CD4E93DCF7B7F1A2397AF0580D9/analysis/; classtype:trojan-activity; sid:47381; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Trojan.Agent variant download attempt"; flow:to_client,established; file_data; content:"|48 8B 45 E0 48 83 C0 3E 48 89 C7 E8|"; fast_pattern:only; content:"|89 D6 89 C7 E8|"; content:"|89 45 F8 83 7D F8 00|"; within:15; content:"|8B 45 F8 89 C7 E8|"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/EBFFD115918F6D181DA6D8F5592DFFB3E4F08CD4E93DCF7B7F1A2397AF0580D9/analysis/; classtype:trojan-activity; sid:47380; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER known malicious user-agent string - DanaBot"; flow:to_server,established; content:"User-Agent|3A| buyer v."; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/4afad293675bcb39ac2a85307f074cc06410a48f2e14585718193648806521c4/analysis/; classtype:trojan-activity; sid:47326; rev:2;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Gandcrab variant network share encryption attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"SMB"; within:3; distance:4; content:"|5C 00|K|00|R|00|A|00|B|00|-|00|D|00|E|00|C|00|R|00|Y|00|P|00|T|00|.|00|t|00|x|00|t|00|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/file/8d8b45aa8724458ea7711f13ee237bbd3e4c77669ebd91109b94620ecc52bc72/analysis/; classtype:trojan-activity; sid:47278; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt"; flow:to_server,established; file_data; content:"|00|C:|5C|ProgramData|5C|WindowsAppPool|5C|AppPool.vbs"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00; classtype:trojan-activity; sid:48421; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Bondupdater payload delivery attempt"; flow:to_client,established; file_data; content:"|00|C:|5C|ProgramData|5C|WindowsAppPool|5C|AppPool.vbs"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/7cbad6b3f505a199d6766a86b41ed23786bbb99dab9cae6c18936afdc2512f00; classtype:trojan-activity; sid:48420; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.tRat variant inbound payload attempt"; flow:to_server,established; content:"/dat"; fast_pattern:only; http_uri; urilen:4; content:"User-Agent: Windows Installer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/cdb8a02189a8739dbe5283f8bc4679bf28933adbe56bff6d050bad348932352b; classtype:trojan-activity; sid:48469; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.tRat variant inbound payload attempt"; flow:to_server,established; content:"/nfile/ma1o.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/7c3e462113992570ab81bf4298b16b02fed9451218dd5ea4da48bde2e25a2453; classtype:trojan-activity; sid:48468; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Trojan.Fastcash download attempt"; flow:to_client,established; file_data; content:"|39 22 FD 04 81 29 00 00 7D 2A 07 B4 39 3F 00 74 7D 43 53 78 7D 24 4B 78 38 A0 01 84|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d465637518024262c063f4a82d799a4e40ff3381014972f24ea18bc23c3b27ee/detection; classtype:trojan-activity; sid:48572; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"JkmokJxowpfxFkogHpjimkfdxoM"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/4dcd46e838bb7a764bc35b4e4a3a2e693fedcda5334d54b982bea29b5f4887a3; classtype:trojan-activity; sid:48743; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"JkmokJxowpfxFkogHpjimkfdxoM"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/4dcd46e838bb7a764bc35b4e4a3a2e693fedcda5334d54b982bea29b5f4887a3; classtype:trojan-activity; sid:48742; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.Agent variant inbound payload attempt"; flow:to_client,established; file_data; content:"alert(|27|Please install new Font Manager to your Chrome!|27|)|3B|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/adfd949ac91187061b44d8c8415ec5003d26164ff57d6c47e4ecaf8c9b80795f; classtype:trojan-activity; sid:48741; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected"; flow:to_client,established; file_data; content:"camillesanz.com/lib/status.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48720; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.Coinminer variant infected page detected"; flow:to_client,established; file_data; content:"siteverification.online/lib/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48719; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Occamy inbound payload attempt"; flow:to_client,established; file_data; content:".wo.tc/js/lib/js.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48718; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.MagentoCore infected page detected"; flow:to_client,established; file_data; content:"magento.name/mage/mage.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48717; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Trojan.MagentoCore infected page detected"; flow:to_client,established; file_data; content:"magentocore.net/mage/mage.js"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/#/file/fa9b7233ce96b5fbff570b0550a1f1a36846aa0d3d99355a1719fab402508dbd; classtype:trojan-activity; sid:48716; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Dropper.Ramnit payload drop attempt"; flow:to_client,established; file_data; content:"DropFileName = |22|svchost.exe|22|"; fast_pattern:only; content:"WriteData = |22|4D5A900003"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/a6f2d42c1a404ddcef4365623541089c6f8b9f4b17489f87de2460a10956548f; classtype:trojan-activity; sid:48715; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"hdfgkhioiugyfyghdseertdfygu"; fast_pattern:only; content:"ghtrfdfdewsdfgtyhgjgghfdg"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337A; classtype:trojan-activity; sid:48814; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"*|00|.|00|n|00|i|00|k|00|e|00|2|00|0|00|1|00|8"; fast_pattern:only; content:"Program"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337A; classtype:trojan-activity; sid:48813; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"proteusdlll"; fast_pattern:only; content:"Class1"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337A; classtype:trojan-activity; sid:48812; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER SamSam associated file"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; byte_jump:4,98,relative,little,from_beginning; content:".|00|n|00|i|00|k|00|e|00|2|00|0|00|1|00|8"; within:17; distance:-18; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337A; classtype:trojan-activity; sid:48811; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"_StaticArrayInitTypeSize=13"; fast_pattern:only; content:"Rijndael"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337D; classtype:trojan-activity; sid:48806; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"*|00|.|00|s|00|t|00|u|00|b|00|b|00|i|00|n"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337D; classtype:trojan-activity; sid:48805; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Ransomware SamSam variant detected"; flow:to_client,established; file_data; content:"H|00|E|00|L|00|P|00|_|00|D|00|E|00|C|00|R|00|Y|00|P|00|T|00|_|00|Y|00|O|00|U|00|R|00|_|00|F|00|I|00|L|00|E|00|S"; content:"selfdel.exe"; content:"del.exe"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337C; classtype:trojan-activity; sid:48804; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER samsam.exe file name detected"; flow:to_client,established; file_data; content:"s|00|a|00|m|00|s|00|a|00|m|00|.|00|e|00|x|00|e"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,www.us-cert.gov/ncas/analysis-reports/AR18-337C; classtype:trojan-activity; sid:48803; rev:1;)
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Shamoon propagation via SMB2 transfer attempt"; flow:to_server,established; content:"|FE|SMB"; depth:4; offset:4; content:"|05 00|"; within:2; distance:8; content:"P|00|r|00|o|00|g|00|r|00|a|00|m|00| |00|F|00|i|00|l|00|e|00|s|00 5C 00|I|00|n|00|t|00|e|00|r|00|n|00|e|00|t|00| |00|E|00|x|00|p|00|l|00|o|00|r|00|e|00|r|00 5C 00|s|00|i|00|g|00|n|00|i|00|n"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/file/35ceb84403efa728950d2cc8acb571c61d3a90decaf8b1f2979eaf13811c146b/analysis/; classtype:trojan-activity; sid:48784; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.L0rdix binary download attempt"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"c|00|o|00|n|00|n|00|e|00|c|00|t|00|.|00|p|00|h|00|p|00|"; content:"L0rdix"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/504c6e964c591cd6b4aac5193600058863a5c3c3b9ae7e5756315114fb032a11/detection; classtype:trojan-activity; sid:48856; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Mimikatz inbound payload download"; flow:to_server,established; content:"/mimikatz.exe"; fast_pattern:only; http_uri; content:"mimikatz.exe HTTP/"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/#/file/6bfc1ec16f3bd497613f57a278188ff7529e94eb48dcabf81587f7c275b3e86d; classtype:trojan-activity; sid:48871; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Js.Dropper.Agent variant inbound payload download"; flow:to_server,established; file_data; content:"-----[ http://MegaCrypter.Us ]----"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/8fe18a768769342be49ac33d2ba0653ba7f105a503075231719c376b6ded8846; classtype:trojan-activity; sid:48870; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Js.Dropper.Agent variant inbound payload download"; flow:to_client,established; file_data; content:"-----[ http://MegaCrypter.Us ]----"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/8fe18a768769342be49ac33d2ba0653ba7f105a503075231719c376b6ded8846; classtype:trojan-activity; sid:48869; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script"; flow:to_client,established; file_data; content:"ps aux |7C| grep |2D|i"; content:"|5B|y|5D|unjing"; within:12; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/2e3e8f980fde5757248e1c72ab8857eb2aea9ef4a37517261a1b013e3dc9e3c4/detection; classtype:trojan-activity; sid:48939; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Unix.Rocke.Evasion variant dropped bash script"; flow:to_client,established; file_data; content:"ps aux |7C| grep |2D|i"; content:"|5B|a|5D|liyun"; within:12; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/2e3e8f980fde5757248e1c72ab8857eb2aea9ef4a37517261a1b013e3dc9e3c4/detection; classtype:trojan-activity; sid:48938; rev:1;)
alert tcp $HOME_NET any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Ransomware.Anatova variant network share encryption attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"SMB"; within:3; distance:4; content:"|5C 00|A|00|N|00|A|00|T|00|O|00|V|00|A|00|.|00|T|00|X|00|T|00|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service netbios-ssn; reference:url,www.virustotal.com/file/75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820; classtype:trojan-activity; sid:49072; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Anatova variant detected"; flow:to_server,established; file_data; content:"|44 69 69 25 7C 6A 70 77 25 63 6C 69 60 76 25 64 77 60 25 66 77 7C 75 71 60 61 2B 25 4A 6B 69 7C 25 70 76 25 66 64 6B 25 61 60 66 77 7C 75 71 25 7C 6A 70 77 25 63 6C 69 60 76 29 25 7C 6A 70 25 6B 60 60 61 25 75 64 7C 25 34 35 25 41 44 56 4D 25 6C 6B 25 71 6D 60 25 64 61 61 77 60 76 76 3F 25|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/gui/file/170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0; reference:url,www.virustotal.com/gui/file/75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820; reference:url,www.virustotal.com/gui/file/97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93; reference:url,www.virustotal.com/gui/file/ab8a76b64448b943dc96a3e993b6e6b37af27c93738d27ffd1f4c9f96a1b7e69; reference:url,www.virustotal.com/gui/file/bd422f912affcf6d0830c13834251634c8b55b5a161c1084deae1f9b5d6830ce; classtype:trojan-activity; sid:49071; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Anatova variant detected"; flow:to_client,established; file_data; content:"|44 69 69 25 7C 6A 70 77 25 63 6C 69 60 76 25 64 77 60 25 66 77 7C 75 71 60 61 2B 25 4A 6B 69 7C 25 70 76 25 66 64 6B 25 61 60 66 77 7C 75 71 25 7C 6A 70 77 25 63 6C 69 60 76 29 25 7C 6A 70 25 6B 60 60 61 25 75 64 7C 25 34 35 25 41 44 56 4D 25 6C 6B 25 71 6D 60 25 64 61 61 77 60 76 76 3F 25|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/gui/file/170fb7438316f7335f34fa1a431afc1676a786f1ad9dee63d78c3f5efd3a0ac0; reference:url,www.virustotal.com/gui/file/75371ff38823885b47aa21d2883792a5470e9bf1f3d2dc93f512725f35491820; reference:url,www.virustotal.com/gui/file/97fb79ca6fc5d24384bf5ae3d01bf5e77f1d2c0716968681e79c097a7d95fb93; reference:url,www.virustotal.com/gui/file/ab8a76b64448b943dc96a3e993b6e6b37af27c93738d27ffd1f4c9f96a1b7e69; reference:url,www.virustotal.com/gui/file/bd422f912affcf6d0830c13834251634c8b55b5a161c1084deae1f9b5d6830ce; classtype:trojan-activity; sid:49070; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Windows Management Instrumentation manipulation attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"wmic"; fast_pattern; pcre:"/wmic(\.exe)?\s+/i"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1047/; classtype:trojan-activity; sid:49570; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER PowerShell invocation with ExecutionPolicy Bypass attempt"; flow:to_client,established; flowbits:isset,file.exe; content:"powershell"; fast_pattern; content:"bypass"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1086/; classtype:trojan-activity; sid:49569; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Yatron payload download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"yatronraas@mail.ru"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/#/file/7910b3f3a04644d12b8e656aa4934c59a4e3083a2a9c476bf752dc54192c255b; classtype:trojan-activity; sid:49536; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Yatron payload download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"yatronraas@mail.ru"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/7910b3f3a04644d12b8e656aa4934c59a4e3083a2a9c476bf752dc54192c255b; classtype:trojan-activity; sid:49535; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.Imminent variant download attempt"; flow:to_server,established; file_data; content:"|D9 CF 51 6E 74 71 4C 3B 62 64 6A B1 2F FB 30 25 6A 05 94 7A E4 B1 22 07 32 5D A8 2D 52 4D E7 EA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/4b4e6ac65aa4105222ad5c80cdf7d42fe2c3535d28546a247ec1985c7a32c844/analysis/; classtype:trojan-activity; sid:49771; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Imminent variant download attempt"; flow:to_client,established; file_data; content:"|D9 CF 51 6E 74 71 4C 3B 62 64 6A B1 2F FB 30 25 6A 05 94 7A E4 B1 22 07 32 5D A8 2D 52 4D E7 EA|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/4b4e6ac65aa4105222ad5c80cdf7d42fe2c3535d28546a247ec1985c7a32c844/analysis/; classtype:trojan-activity; sid:49770; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt"; flow:to_server,established; file_data; content:"_Cr1ptT0r_"; fast_pattern:only; content:"FILES_ENCRYPTED_README"; nocase; content:"cr1ptt0r_privkey.txt"; within:50; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/en/file/9a1de00dbc07271a27cb4806937802007ae5a59433ca858d52678930253f42c1/analysis/; classtype:trojan-activity; sid:49767; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Ransomware.Cr1ptT0r download attempt"; flow:to_client,established; file_data; content:"_Cr1ptT0r_"; fast_pattern:only; content:"FILES_ENCRYPTED_README"; nocase; content:"cr1ptt0r_privkey.txt"; within:50; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/9a1de00dbc07271a27cb4806937802007ae5a59433ca858d52678930253f42c1/analysis/; classtype:trojan-activity; sid:49766; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_server,established; file_data; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49889; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Doc.Dropper.Emotet malicious dropper download attempt"; flow:to_client,established; file_data; content:"rzutBEZO3egDqfR5oJivHw/md8lN6fjshs2"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/gui/file/38e695287e8f00318c9009714baa096011bc690bf697d4f318a11af808d2f4a0/detection; classtype:trojan-activity; sid:49888; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"6|00|7|00|6|00|f|00|6|00|f|00|6|00|4|00|6|00|c|00|7|00|5|00|6|00|3|00|6|00|b|00|"; fast_pattern:only; content:"g|00|o|00|g|00|l|00|e|00|.|00|c|00|o|00|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97/detection; classtype:trojan-activity; sid:49936; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.RogueRobin executable file download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"6|00|7|00|6|00|f|00|6|00|f|00|6|00|4|00|6|00|c|00|7|00|5|00|6|00|3|00|6|00|b|00|"; fast_pattern:only; content:"g|00|o|00|g|00|l|00|e|00|.|00|c|00|o|00|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/eb33a96726a34dd60b053d3d1048137dffb1bba68a1ad6f56d33f5d6efb12b97/detection; classtype:trojan-activity; sid:49935; rev:1;)
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt"; flow:to_client,established; file_data; content:"|B5 94 70 71 DB 8A 0C 84 E9 19 67 8A 43 E1 FD 31 24 52 4A C9 98 31 ED F4 FA 2F 00 00 00 FF FF 03|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8/detection; classtype:trojan-activity; sid:49934; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER Xls.Dropper.RogueRobin file download attempt"; flow:to_server,established; file_data; content:"|B5 94 70 71 DB 8A 0C 84 E9 19 67 8A 43 E1 FD 31 24 52 4A C9 98 31 ED F4 FA 2F 00 00 00 FF FF 03|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/#/file/513813af1590bc9edeb91845b454d42bbce6a5e2d43a9b0afa7692e4e500b4c8/detection; classtype:trojan-activity; sid:49933; rev:1;)