813 lines
297 KiB
Plaintext
813 lines
297 KiB
Plaintext
# Copyright 2001-2019 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains (i) proprietary rules that were created, tested and certified by
|
|
# Sourcefire, Inc. (the "VRT Certified Rules") that are distributed under the VRT
|
|
# Certified Rules License Agreement (v 2.0), and (ii) rules that were created by
|
|
# Sourcefire and other third parties (the "GPL Rules") that are distributed under the
|
|
# GNU General Public License (GPL), v2.
|
|
#
|
|
# The VRT Certified Rules are owned by Sourcefire, Inc. The GPL Rules were created
|
|
# by Sourcefire and other third parties. The GPL Rules created by Sourcefire are
|
|
# owned by Sourcefire, Inc., and the GPL Rules not created by Sourcefire are owned by
|
|
# their respective creators. Please see http://www.snort.org/snort/snort-team/ for a
|
|
# list of third party owners and their respective copyrights.
|
|
#
|
|
# In order to determine what rules are VRT Certified Rules or GPL Rules, please refer
|
|
# to the VRT Certified Rules License Agreement (v2.0).
|
|
#
|
|
#------------------------
|
|
# MALWARE-BACKDOOR RULES
|
|
#------------------------
|
|
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Unix.Backdoor.Cdorked backdoor command attempt"; flow:to_server,established; content:"SECID="; fast_pattern:only; content:"SECID="; depth:6; http_cookie; content:"POST"; http_method; pcre:"/^Cookie\x3a\s?SECID=[^\x3b]+?$/mD"; pcre:"/\?[a-f0-9]{4}$/miU"; metadata:impact_flag red, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26529; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; content:"macName="; depth:60; http_client_body; content:"&macOS="; within:100; http_client_body; content:"&macMac="; within:200; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26842; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Backdoor.Win32.Neshgai.A runtime detection"; flow:to_server,established; content:".asp?"; nocase; http_uri; content:"SystemInfo-"; fast_pattern:only; http_uri; content:"hostid="; nocase; http_uri; content:"hostname="; nocase; http_uri; content:"hostip="; nocase; http_uri; content:"filename="; nocase; http_uri; content:"filetext="; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/fdbae1ccf6aa82e601584e09b4098dc3874d40d858654e9903628d55c98b07b9/analysis; classtype:trojan-activity; sid:26823; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trojan.Midwgif.A runtime detection"; flow:to_server,established; content:"loginmid="; fast_pattern; nocase; http_client_body; content:"&nickid="; distance:0; nocase; http_client_body; pcre:"/loginmid=[0-9a-f]{24}&nickid=[^&]+&s=/iP"; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.virustotal.com/file/2c7b0b235c04f9f9392418ebced21b7efeb19550f5e29aee5a13d9f884a31da9/analysis/; classtype:trojan-activity; sid:26773; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd"; depth:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"/index.php"; nocase; content:"COMPNAME_END"; nocase; content:"COMPNAME"; within:8; distance:4; nocase; content:"CODE_START"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service smtp; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26611; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Dulevco.A runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"/index.php"; nocase; content:"COMPNAME_END"; nocase; content:"COMPNAME"; within:8; distance:4; nocase; content:"CODE_START"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/B91D64E9FE35C0B2164239E751F353CCCE861A718FAEF5E4D4887DB7BAD0BAEC/analysis/; classtype:trojan-activity; sid:26610; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Jokra dropper download"; flow:to_client,established; content:"|05 C4 89 84 24 70 1A 30 5B 82 44 8D 79 22 75 04 67 09 4E 33 7B|"; fast_pattern:only; file_data; content:"|93 4C C8 83 0C B8 72 42 06 39 F4 02 84 DB 02 F8 CE 80 1C|"; nocase; content:"UPX!"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/422c767682bee719d85298554af5c59cf7e48cf57daaf1c5bdd87c5d1aab40cc/analysis/; classtype:trojan-activity; sid:26332; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Windows vernot download"; flow:to_client,established; content:"|2F|res|2F 7C|1|7C|2|7C|3|7C|4|7C|5|7C|5|7C|5|7C|6|7C|5|7C|7|7C|8|7C|9|7C|10|7C|1|7C|5|7C|11|7C|12|7C|700|7C|"; fast_pattern:only; file_data; content:"|7C 5B|Z/1413617015|7C|com.evernote.edam.type.NoteAttributes/3819593128|7C 5B|B/3308590456|7C|"; content:"&targetUrl=%2FHome.action&targetUrl=%2FHome.action&login=%E7%99%BB%E5%BD%95&_sourcePage="; content:"$_$Today is a very important day for me.$"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/e21921abd435f1523f41a040b8423f123487c1d9e8e5443ee219589ad8235e63/analysis/; classtype:trojan-activity; sid:26328; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR DarkSeoul related wiper"; flow:to_client,established; content:"JO840112-CRAS8468-11150923-PCI8273V"; fast_pattern:only; file_data; content:"|5F 0F 94 C0 5E C9 C3 53 56 8B 74 24 0C 33 DB 57 39 1E 7E 19 8D BE 78 01 00 00 FF 37 56 FF 96 A0|"; content:"taskkill /F /IM pasvc.exe"; content:"GIt%"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/510f83af3c41f9892040a8a80b4f3a4736eebee2ec4a7d4bfee63dbe44d7ecff/analysis/; classtype:trojan-activity; sid:26326; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - tran"; flow:to_client,established; content:"|2D 00 74 00 72 00 61 00 6E 00|"; fast_pattern:only; pcre:"/\x2D\x00\x74\x00\x72\x00\x61\x00\x6E\x00(\x20\x00){1,3}([0-9]\x00){1,5}(\x20\x00){1,3}([a-z0-9\x2D\x2E]\x00){2,256}(\x20\x00){1,3}([0-9]\x00){1,5}/i"; metadata:impact_flag red, policy security-ips drop, service netbios-ssn; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25284; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - slave"; flow:to_client,established; content:"|2D 00 73 00 6C 00 61 00 76 00 65 00|"; fast_pattern:only; pcre:"/\x2D\x00\x73\x00\x6C\x00\x61\x00\x76\x00\x65\x00(\x20\x00){1,3}([a-z0-9\x2D\x2E]\x00){2,256}(\x20\x00){1,3}([0-9]\x00){1,5}(\x20\x00){1,3}([a-z0-9\x2D\x2E]\x00){2,256}(\x20\x00){1,3}([0-9]\x00){1,5}/i"; metadata:impact_flag red, policy security-ips drop, service netbios-ssn; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25283; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 445 -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - listen"; flow:to_client,established; content:"-|00|l|00|i|00|s|00|t|00|e|00|n"; fast_pattern:only; pcre:"/-\x00l\x00i\x00s\x00t\x00e\x00n\x00(\x20\x00){1,3}([0-9]\x00){1,5}\x20\x00([0-9]\x00){1,5}\x20\x00/i"; metadata:impact_flag red, policy security-ips drop, service netbios-ssn; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25282; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Htran banner"; flow:to_client,established; content:"===== HUC Packet Transmit Tool"; fast_pattern:only; metadata:policy security-ips drop, service ircd; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25281; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - tran"; flow:to_server,established; content:"|20|-tran"; fast_pattern:only; pcre:"/\x20{1,3}\x2dtran\x20{1,3}\d{1,5}\x20{1,3}[a-z0-9\-\.]{1,128}\x20{1,3}\d{1,5}/i"; metadata:impact_flag red, policy security-ips drop; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25280; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - slave"; flow:to_server,established; content:"|20|-slave"; fast_pattern:only; pcre:"/\x20{1,3}\x2dslave\x20{1,3}[a-z0-9\-\.]{1,128}\x20{1,3}\d{1,5}/i"; metadata:impact_flag red, policy security-ips drop; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25279; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR possible Htran setup command - listen"; flow:to_server,established; content:"|20|-listen"; fast_pattern:only; pcre:"/\x20\x2dlisten\x20{1,3}\d{1,5}\x20{1,3}\d{1,5}/i"; metadata:impact_flag red, policy security-ips drop; reference:url,www.secureworks.com/cyber-threat-intelligence/threats/htran/; classtype:trojan-activity; sid:25278; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [6666:7000] (msg:"MALWARE-BACKDOOR UnrealIRCd backdoor command execution attempt"; flow:to_server,established; isdataat:!200; content:"AB|3B|"; depth:3; metadata:impact_flag red, service irc; reference:bugtraq,40820; reference:cve,2010-2075; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.unrealircd.com/txt/unrealsecadvisory.20100612.txt; classtype:attempted-admin; sid:25106; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"MALWARE-BACKDOOR Arucer backdoor traffic - NOP command attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E D2 DD D6 A0 A4 A6 A7 A3 C8 A0 A3 DD A7 C8 D1 DC DD 80 C8 A4 D5 D0 DC C8 A3 D5 A7 D0 A7 A1 D4 D7 D3 D1 D4 A0 98 E5|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/#/file/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf/detection; classtype:trojan-activity; sid:25015; rev:2;)
|
|
# alert tcp $HOME_NET 6116 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR am remote client runtime detection - client response"; flow:to_client,established; flowbits:isset,AM_Remote_Client; content:"|35 01 02|"; depth:3; content:"|01 02|Internet Explorer|01 02|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity; sid:24545; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Spy.Heur variant outbound connection attempt"; flow:to_server,established; content:"bot.php"; nocase; http_uri; content:"User-Agent|3A| Opera/9.80|0D 0A|"; fast_pattern:only; http_header; pcre:"/bot\.php.*?[?&](keep=newkeep|log=\*)/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/3030d86899568e13bbddca7aced8a3edb0dd891b70962a81007da3f8a5eadb47/analysis/; classtype:trojan-activity; sid:24540; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Ransomlock runtime detection"; flow:to_server,established; content:"?id="; http_uri; content:"&cmd=img"; within:8; distance:20; http_uri; pcre:"/\?id=[A-Z0-9]{20}&cmd=img/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/f9aafe67d4afe9526c1033fbfc861484105be3f09bdef92d911311f96ed05e4b/analysis; classtype:trojan-activity; sid:24530; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-BACKDOOR Trojan.KDV.QLO runtime detection"; flow:to_server,established; content:"|7C|Disponible"; fast_pattern:only; pcre:"/\d{1,8}\x7c.+ \x5b\d{1,2}(\x3a\d{1,2}){2} [AP]M\x2d(\d{1,2}\x2f){2}\d{4}\x5d\x7cDisponible/m"; metadata:impact_flag red; reference:url,www.virustotal.com/file/58828c6582c57e995dc3ce4b561f6b9727a117b5f13aba772dfb6fe9e86ab4ed/analysis/; classtype:trojan-activity; sid:24404; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-BACKDOOR Trojan.KDV.QLO runtime detection"; flow:to_server,established; content:"|7C|Inactivo"; fast_pattern:only; pcre:"/\d{1,8}\x7c.+ \x5b\d{1,2}(\x3a\d{1,2}){2} [AP]M\x2d(\d{1,2}\x2f){2}\d{4}\x5d\x7cInactivo/m"; metadata:impact_flag red; reference:url,www.virustotal.com/file/58828c6582c57e995dc3ce4b561f6b9727a117b5f13aba772dfb6fe9e86ab4ed/analysis/; classtype:trojan-activity; sid:24403; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-BACKDOOR Trojan.KDV.QLO install time detection"; flow:to_server,established; content:"|7C|FrogRAT"; depth:32; pcre:"/^.{1,32}\|.{1,32}\|.{1,64}@.{1,64}\|.{1,32}\|.{1,5}\|/msR"; metadata:impact_flag red; reference:url,www.virustotal.com/file/58828c6582c57e995dc3ce4b561f6b9727a117b5f13aba772dfb6fe9e86ab4ed/analysis/; classtype:trojan-activity; sid:24402; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-BACKDOOR Backdoor.Win32.Protos.A runtime detection"; flow:to_server,established; content:"|78 DA 72 0E 0F 0E 08 F2 0F 31 32 E0 E5 02 00 00 00 FF FF|"; depth:19; metadata:impact_flag red; reference:url,www.virustotal.com/file/694944854cbac0d6c3db19f29431a32b8eb53767ab81fdba63db45bc69f48ed0/analysis/; classtype:trojan-activity; sid:24400; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trojan.FakeAV.FakeAlert runtime detection"; flow:to_server,established; content:"?0="; http_uri; content:"&1="; distance:0; http_uri; content:"&2=1"; distance:0; http_uri; content:"&3="; distance:0; http_uri; pcre:"/0=\d+&1=\d&2=1&3=\d+&4=i&5=\d+&6=\d+&7=\d+&8=\S{0,16}&9=\d+&10=\S+&11=1111&12=\S{10}&14=\d/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/19eb78edb2aa13959a5a621744168bdb8e29b2ba4b7c91efe0f7e34060eabc4e/analysis/; classtype:trojan-activity; sid:24377; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trojan.Delf.KDV runtime detection"; flow:to_server,established; content:"=eNoLD4n38XePd3f1AwAR1gMm&"; fast_pattern:only; http_client_body; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/e72ad87d53790bee9e7e59eed134443e89 51b713750873528699e303e195dfd9/analysis/; classtype:trojan-activity; sid:24376; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trojan-Downloader.Win32.Doneltart.A runtime detection"; flow:to_server,established; content:!"User-Agent|3A|"; http_header; content:"open="; nocase; http_uri; content:"myid"; distance:0; nocase; http_uri; pcre:"/\?open=((stage|myid)|[^&]+&myid=)/iU"; metadata:impact_flag red, service http; reference:url,www.virustotal.com/file/3e28f52647637fd98779e50677ed56ca536ac1659816f15b489aafe39bcbf2f9/analysis/; classtype:trojan-activity; sid:24173; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Virus.Win32.Xpaj.A variant outbound connection"; flow:to_server,established; content:"Accept-Encoding|3A|"; nocase; http_header; content:"deflate"; distance:0; nocase; http_header; pcre:"/\x2F[0-9a-zA-Z]{4,9}\x3F[0-9a-zA-Z]{10,40}\x3D[0-9a-zA-Z]{10,40}([\x26\x3D][0-9a-zA-Z]{10,40}){0,10}/iU"; content:"filename="; fast_pattern:only; http_client_body; pcre:"/^filename=[a-z]{3,7}\x2E[a-z]{3}\x26data\x3D.{0,32}[^\x20-\x7E]/iP"; metadata:service http; reference:url,www.virustotal.com/#/file/d5c12fcfeebbe63f74026601cd7f39b2/detection; classtype:trojan-activity; sid:24123; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/DES"; within:4; distance:1; fast_pattern; nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24122; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/DES"; fast_pattern; nocase; http_uri; pcre:"/\/DES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24121; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/SUS"; within:4; distance:1; fast_pattern; nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24120; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/SUS"; fast_pattern; nocase; http_uri; pcre:"/\/SUS\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24119; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/ZES"; within:4; distance:1; fast_pattern; nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24118; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/ZES"; fast_pattern; nocase; http_uri; pcre:"/\/ZES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24117; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; depth:3; nocase; content:"/AES"; within:4; distance:1; fast_pattern; nocase; pcre:"/^\d+O\d+\.jsp\?[a-z0-9\x3d\x2b\x2f]{20}/iR"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24116; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Demtranc variant outbound connection"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/AES"; fast_pattern; nocase; http_uri; pcre:"/\/AES\d+O\d+\.jsp\?[a-z0-9=\x2b\x2f]{20}/iU"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/b3a97be4160fb261e138888df276f9076ed76fe2efca3c71b3ebf7aa8713f4a4/analysis/; classtype:trojan-activity; sid:24115; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Georbot file download"; flow:to_client,established; file_data; flowbits:isset,file.exe; content:"|55 89 E5 83 EC 1C 80 3D F7 B7 40 00 00 74 0B 68 95 0E 41 00|"; fast_pattern:only; content:"|FF 15 EC 90 40 00 FF 75 08 FF 15 34 91 40 00 89 45 F4 83 C0|"; content:"|3C 8B 00 03 45 F4 89 45 F0 8B 45 F0 8B 40 78 03 45 F4 8B 58|"; within:20; content:"|20 03 5D F4 89 5D E4 8B 40 18 89 45 EC 8B 45 F0 8B 40 78 03|"; within:20; content:"|45 F4 8B 58 1C 03 5D F4 89 5D E8 8B 45 F0 8B 40 78 03 45 F4|"; within:20; content:"|8B 58 24 03 5D F4 89 5D F8 6A 00 C1 C9 04 59 C6 05 72 9C 40|"; within:20; content:"|00 00|"; within:2; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/file/d7551c07bce29757996b35bdd3bfcecdb3f10aa6807b22a95bea41f6c92e4f1a/analysis/; classtype:trojan-activity; sid:23483; rev:7;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET [53,443,9000] (msg:"MALWARE-BACKDOOR Win.Trojan.Thoper.C runtime detection"; flow:to_server,no_stream; content:"|30 00|"; depth:2; content:"|00 00|"; within:2; distance:2; content:"|C0 A8 02 85 00 04 00 00 00 10 00 00 32 00 00 00|"; within:16; distance:2; detection_filter:track by_src, count 5, seconds 60; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fThoper.C; classtype:trojan-activity; sid:23381; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-BACKDOOR Win.Backdoor.Tinrot.A runtime detection"; flow:to_server,established; content:"|A0 00 00 00|"; depth:4; content:"|98 00 00 00|"; within:4; distance:4; isdataat:163; isdataat:!164; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/e181424c4fb8bcde4aae154bf3ecb14d/detection; classtype:trojan-activity; sid:23341; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"MALWARE-BACKDOOR Spindest.A runtime detection - initial connection"; flow:to_server,established; content:"|00 01 2A 02 00 08 0C 12 14|AKAAA|02 00 0A|"; depth:17; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fSpindest.A; classtype:trojan-activity; sid:23338; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Agent variant outbound connection"; flow:to_server,established; content:"Extra-Data-Bind|3A|"; nocase; http_header; content:"Extra-Data-Space|3A|"; nocase; http_header; content:"Extra-Data|3A|"; nocase; http_header; pcre:"/^\/\d+$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/file/4d6c4f5f0525d07b1454283ee1f1a166528f1edc208d10de9d3ce80d021c8fa3/analysis/; classtype:trojan-activity; sid:22095; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 5447 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Nervos variant inbound connection"; flow:to_client,established; flowbits:isset,trojan.nervos; content:"|02 00 65 00 00 00 44 76|"; depth:8; content:"|55 4B 59 62 08 30 F0|"; distance:0; metadata:impact_flag red; classtype:trojan-activity; sid:21979; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5447 (msg:"MALWARE-BACKDOOR Win.Backdoor.Nervos variant outbound connection"; flow:to_server,established; content:"|01 01|"; depth:2; content:"|00 00|"; depth:2; offset:62; pcre:"/^((\x82\x01)|(\xe6\x01)|(\x4a\x02)|(\x98\x08)|(\xd8\x21))\x00\x00/R"; flowbits:set,trojan.nervos; metadata:impact_flag red; classtype:trojan-activity; sid:21978; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Pinit variant outbound connection"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/gate/r.php"; nocase; http_uri; pcre:"/^\??s=[^\r\n]*q[^\r\n]*d\d+l\d+t\d+/Pi"; metadata:service http; reference:url,www.virustotal.com/file-scan/report.html?id=43a6f707cdc2a0f2e567308c7c6494c5; classtype:trojan-activity; sid:21977; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.ZZSlash runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"GH0STC"; content:"GH0STC"; within:200; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/11906a9c342f840ffa01e1aeb411cf1a/detection; classtype:trojan-activity; sid:21973; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6040 (msg:"MALWARE-BACKDOOR Win.Backdoor.ZZSlash variant outbound connection"; flow:to_server,established; dsize:>19; content:"|14 00 00 00|"; depth:4; content:"|00 01|"; within:2; distance:14; reference:url,www.virustotal.com/#/file/11906a9c342f840ffa01e1aeb411cf1a/detection; classtype:trojan-activity; sid:21972; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Zlob.P variant inbound connection"; flow:to_client,established; flowbits:isset,trojan.zlob; file_data; content:"|2F 25 28|"; depth:3; metadata:service http; reference:url,www.virustotal.com/#/file/c751fd8e35b46c8a6d570b928774573b/detection; classtype:trojan-activity; sid:21971; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Zlob.P variant outbound connection"; flow:to_server,established; content:"/bsfb.php"; nocase; http_uri; content:"%##+t"; depth:5; http_client_body; flowbits:set,trojan.zlob; metadata:service http; reference:url,www.virustotal.com/#/file/c751fd8e35b46c8a6d570b928774573b/detection; classtype:trojan-activity; sid:21970; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [82,1087] (msg:"MALWARE-BACKDOOR Win.Backdoor.Rebhip.A variant outbound connection type B"; flow:to_server,established; content:"|70 C0 E4 28 02 26 11 3C 63 2F 8F 76 B4 55 DA 05|"; fast_pattern:only; metadata:impact_flag red; classtype:trojan-activity; sid:21969; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [82,1087] (msg:"MALWARE-BACKDOOR Win.Backdoor.Rebhip.A variant outbound connection type A"; flow:to_server,established; content:"32|7C 0A|"; depth:4; metadata:impact_flag red; classtype:trojan-activity; sid:21968; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Rebhip.A runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|5F 78 5F 58 5F 42 4C 4F 43 4B 4D 4F 55 53 45 5F 58 5F 78 5F|"; fast_pattern:only; content:"|5F 78 5F 58 5F 55 50 44 41 54 45 5F 58 5F 78 5F|"; content:"|5F 78 5F 58 5F 50 41 53 53 57 4F 52 44 4C 49 53 54 5F 58 5F 78 5F|"; distance:0; metadata:service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/d3ef727eb86c4bdde8e64800e600d3f4/detection; classtype:trojan-activity; sid:21967; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR ToolsPack PHP Backdoor access"; flow:to_server,established; content:"plugins/ToolsPack/ToolsPack.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html; classtype:web-application-attack; sid:21550; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1160 (msg:"MALWARE-BACKDOOR Win.Backdoor.Zegost.B runtime detection"; flow:to_server,established; content:"cb1st"; depth:5; nocase; reference:url,www.virustotal.com/file/28c970dc4fb40e7da843c7ceb0475b995b827ce451283b1377f18528f66982ad/analysis/; classtype:trojan-activity; sid:21512; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2008 (msg:"MALWARE-BACKDOOR BRX Rat 0.02 inbound connection"; flow:to_server,established; content:"informacoes"; depth:11; nocase; reference:url,www.virustotal.com/en/file/bfa9a810230949bfbd12a41f7da826d432694fab5f8b81ed6f083d4b4c56a6e5/analysis/; classtype:trojan-activity; sid:19930; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2008 (msg:"MALWARE-BACKDOOR BRX Rat 0.02 inbound connection"; flow:to_server,established; content:"<GETDRIVERS>"; depth:12; nocase; reference:url,www.virustotal.com/en/file/bfa9a810230949bfbd12a41f7da826d432694fab5f8b81ed6f083d4b4c56a6e5/analysis/; classtype:trojan-activity; sid:19929; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2008 (msg:"MALWARE-BACKDOOR BRX Rat 0.02 inbound connection"; flow:to_server,established; content:"<LISTPROCE>"; depth:11; nocase; reference:url,www.virustotal.com/en/file/bfa9a810230949bfbd12a41f7da826d432694fab5f8b81ed6f083d4b4c56a6e5/analysis/; classtype:trojan-activity; sid:19928; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2008 (msg:"MALWARE-BACKDOOR BRX Rat 0.02 inbound connection"; flow:to_server,established; content:"keylogger_on"; depth:12; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/bfa9a810230949bfbd12a41f7da826d432694fab5f8b81ed6f083d4b4c56a6e5/analysis/; classtype:trojan-activity; sid:19927; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.GGDoor.22 variant outbound connection"; flow:to_server,established; content:"/appsvc/appmsg4.asp?fmnumber="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/050df1a6cfafab164c7d8c10dd38c6a72145bedde19551a34ae02c0cdde607f1/analysis/; classtype:trojan-activity; sid:19747; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Agent.bhxn variant outbound connection"; flow:to_server,established; dsize:780; content:"C601"; depth:7; offset:16; fast_pattern; nocase; content:"|9C 00 00 00|"; within:4; distance:28; content:"|00 00 00|"; within:3; distance:1; metadata:impact_flag red, service http; reference:url,www.securelist.com/en/descriptions/10329508/Win.Backdoor.Agent.bhxn; classtype:trojan-activity; sid:19354; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Buterat Checkin"; flow:to_server,established; content:"User-Agent|3A| Explorer|0D 0A|"; fast_pattern:only; http_header; metadata:service http; reference:url,www.malware-control.com/statics-pages/7d27068f2b9106b74ca11d537ae2b3de.php; reference:url,www.totalmalwareinfo.com/eng/Win.Backdoor.Buterat.afj; classtype:trojan-activity; sid:19135; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"MALWARE-BACKDOOR Arucer backdoor traffic - write file attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E DC DD A1 DC D0 DD A3 A6 C8 A1 D5 A4 D7 C8 D1 83 D4 86 C8 A7 DD D1 D4 C8 D7 D6 D7 A4 A7 D6 D0 D2 A0 D2 A6 DD 98 E5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/#/file/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf/detection; classtype:trojan-activity; sid:16488; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"MALWARE-BACKDOOR Arucer backdoor traffic - yes command attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E A0 D7 A4 A6 D0 D5 DD DC C8 D6 DD D7 D5 C8 D1 D6 83 80 C8 DD A4 D1 A1 C8 A4 D2 D5 D7 DD A3 A4 A1 DD A6 D7 DD 98 E5|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/#/file/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf/detection; classtype:trojan-activity; sid:16487; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777 (msg:"MALWARE-BACKDOOR Arucer backdoor traffic - command execution attempt"; flow:to_server,established; content:"|C2 E5 E5 E5 9E DD A4 A3 D4 A6 D4 D3 D1 C8 A0 A7 A1 D3 C8 D1 87 D7 87 C8 A7 A6 D4 A3 C8 D3 D1 D3 D2 D1 A0 DC DD A4 D2 D4 D5 98 E5|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:cve,2010-0103; reference:url,www.virustotal.com/#/file/1c7f6f75617dd69a68d60224277a17f0720e7d68e4d321b7ae246f9c7dd2cfcf/detection; classtype:trojan-activity; sid:16486; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.delf.jwh runtime detection"; flow:to_server,established; content:"/wm.php"; nocase; content:"ver="; distance:0; nocase; content:"MAX_EXECUTE_TIME="; distance:0; nocase; content:"RELOAD_JOBS="; distance:0; nocase; content:"BROWSER_DELAY="; distance:0; nocase; content:"CONTROL_PAGE="; distance:0; nocase; content:"lastlogcount="; distance:0; nocase; content:"REPORTS_PAGE="; distance:0; nocase; content:"TICKETS_PAGE="; distance:0; nocase; content:"botid="; distance:0; nocase; content:"REG_NAME="; distance:0; nocase; content:"botlogin="; distance:0; nocase; metadata:service http; reference:url,www.emsisoft.com/en/malware/?Win.Backdoor.Delf.jwh; classtype:trojan-activity; sid:16092; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR evilotus 1.3.2 runtime detection - init connection"; flow:to_client,established; flowbits:set,Evilotus_detection; content:"|0C|~|7F D8 13 00 00 00|d|C8 00 00 0B 00 00 00 07 00 00 00 80 E7 03 0C|~|7F D8|"; depth:27; flowbits:noalert; classtype:trojan-activity; sid:13506; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR yuri 1.2 runtime detection - init connection"; flow:to_client,established; content:"Req_Conn"; depth:8; nocase; flowbits:set,Yuri_1_2_detection; flowbits:noalert; classtype:trojan-activity; sid:13247; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR troya 1.4 inbound connection"; flow:to_client,established; content:"Welcome to Troya"; fast_pattern:only; pcre:"/\x3Ctitle\x3ETroya\s+\x2D\s+by\s+Sma\s+Soft\x3C\x2Ftitle\x3E/smi"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Troya&threatid=41533; classtype:trojan-activity; sid:13246; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bandook 1.35 runtime detection"; flow:to_client,established; flowbits:isset,Bandook135_detection; content:"|CF AB A8 A7 AE CF|"; depth:6; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Bandook&threatid=40408; classtype:trojan-activity; sid:12727; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bandook 1.35 runtime detection"; flow:to_server,established; content:"|CF 8F 80 9B 9A 9D CF C9 CA C9 D9 8D C9|"; depth:13; flowbits:set,Bandook135_detection; flowbits:noalert; classtype:trojan-activity; sid:12726; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dark moon 4.11 runtime detection"; flow:to_server,established; flowbits:isset,DarkMoon411_detection; content:"1bsrCwE93uxp"; depth:12; reference:url,www.spywareguide.com/spydet_2745_dark_moon.html; classtype:trojan-activity; sid:12725; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dark moon 4.11 runtime detection"; flow:to_client,established; content:"1DbsLbE3i/MBQu9Z"; depth:16; flowbits:set,DarkMoon411_detection; flowbits:noalert; classtype:trojan-activity; sid:12724; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR poison ivy 2.3.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,PoisonIvy2.3.0_initDetection; content:"|E0 F5|=|C1 F0 EA 15 DB|C>e|F8 9B E2 14 BA|"; depth:16; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=PoisonIvy&threatid=43179; classtype:trojan-activity; sid:12700; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR poison ivy 2.3.0 runtime detection - init connection"; flow:to_client,established; content:"|B9 E1 A5|~|C7 B7 82|n|22|n|0B CB FD|w|ED|I"; depth:16; flowbits:set,PoisonIvy2.3.0_initDetection; flowbits:noalert; classtype:trojan-activity; sid:12699; rev:5;)
|
|
# alert tcp $HOME_NET 7323 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Sygate Remote Administration Engine"; flow:established,to_client; content:"SyGate |0A|"; depth:8; nocase; reference:bugtraq,952; reference:cve,2000-0113; reference:url,marc.info/?l=bugtraq&m=94934808714972&w=2; classtype:misc-activity; sid:12684; rev:4;)
|
|
# alert tcp $HOME_NET 10110 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Versi TheTheef Detection"; flow:established,to_server; content:"VERSI |28|TheTheef|29|"; depth:16; nocase; classtype:misc-activity; sid:12675; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR shark 2.3.2 runtime detection"; flow:to_client,established; flowbits:isset,sharK_2.3.2_detection; content:"F|15 1D|K|80|?|03 00 01 09|5"; depth:11; reference:url,www.2-spyware.com/remove-shark-trojan.html; reference:url,www.megasecurity.org/trojans/s/shark/Shark0.5.html; reference:url,www.spywaredb.com/remove-shark-trojan/; classtype:trojan-activity; sid:12378; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR shark 2.3.2 runtime detection"; flow:to_server,established; content:"F|15 1D|"; depth:3; flowbits:set,sharK_2.3.2_detection; flowbits:noalert; classtype:trojan-activity; sid:12377; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR radmin 3.0 runtime detection - login & remote control"; flow:to_client,established; flowbits:isset,Radmin3.0_login_detection; content:"|01 00 00 00 05 00 00 00|''|00 00 00 00|"; depth:14; reference:url,www.econsultant.com/spyware-database/r/radmin-3-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096740; classtype:trojan-activity; sid:12376; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR radmin 3.0 runtime detection - login & remote control"; flow:to_server,established; content:"|01 00 00 00 05 00 00 02|''|02 00 00 00|"; depth:14; flowbits:set,Radmin3.0_login_detection; flowbits:noalert; classtype:trojan-activity; sid:12375; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR radmin 3.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,Radmin3.0_conn_detection; content:"|01 00 00 00|%|00 00 02 12 08 02 00 00 0A 00 00|"; depth:16; reference:url,www.econsultant.com/spyware-database/r/radmin-3-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453096740; classtype:trojan-activity; sid:12374; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR radmin 3.0 runtime detection - initial connection"; flow:to_server,established; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; flowbits:set,Radmin3.0_conn_detection; flowbits:noalert; classtype:trojan-activity; sid:12373; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bifrost v1.2.1 runtime detection"; flow:to_server,established; flowbits:isset,Bifrost_v1.2.1_detection; content:"|00 00 00 9B|O|B0|h|FE|j|9A 1C|"; depth:11; offset:1; reference:url,www.spywareguide.com/spydet_1464_bifrose.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453114444; classtype:trojan-activity; sid:12298; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bifrost v1.2.1 runtime detection"; flow:to_client,established; content:"|05 00 00 00 BC|"; depth:5; content:"|CC|"; within:1; distance:3; flowbits:set,Bifrost_v1.2.1_detection; flowbits:noalert; classtype:trojan-activity; sid:12297; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR furax 1.0 b3 runtime detection"; flow:to_client,established; content:"|03 00 1C 00 00 00 00 00 01|Furax"; depth:14; nocase; content:"1.0b3"; distance:0; nocase; content:"Server|00|"; distance:0; nocase; pcre:"/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\s+1\x2E0b3\s+Server\x00/smi"; reference:url,www.megasecurity.org/trojans/f/furax/Furax1.0b3.html; classtype:trojan-activity; sid:12245; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR itadem trojan 3.0 runtime detection"; flow:to_client,established; file_data; content:"<title>ItAdEm Trojan Server</title>"; fast_pattern:only; metadata:service http; reference:url,www.antispyware.com/glossary_details.php?ID=2059; reference:url,www.megasecurity.org/trojans/i/itadem/Itadem3.0.html; classtype:trojan-activity; sid:12244; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection"; flow:to_client,established; flowbits:isset,HotmailHackerLogEdition5.0_detection; content:"|C0|STATUS|C0|Server"; depth:14; nocase; content:"Keylogging"; distance:0; nocase; content:"Started!"; distance:0; nocase; pcre:"/^\xc0STATUS\xc0Server\s\x3A\sKeylogging\sStarted\!$/smi"; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453075158; reference:url,www.spywareguide.com/spydet_935_hotmail_hacker_x_edition.html; classtype:trojan-activity; sid:12243; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hotmail hacker log edition 5.0 runtime detection - init connection"; flow:to_server,established; content:"Start"; depth:5; nocase; pcre:"/^Start$/smi"; flowbits:set,HotmailHackerLogEdition5.0_detection; flowbits:noalert; classtype:trojan-activity; sid:12242; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR genie 1.7 runtime detection - init connection"; flow:to_client,established; flowbits:isset,Genie1.7_detection; content:"|1B|[2J|0D 0A| "; depth:7; content:"Genie"; distance:0; nocase; content:"v1.7"; distance:0; nocase; reference:url,www.megasecurity.org/trojans/g/genie/Genie1.7.html; classtype:trojan-activity; sid:12241; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR genie 1.7 runtime detection - init connection"; flow:to_client,established; content:"|1B|[2J|0D 0A| "; depth:7; content:"Hello"; nocase; content:"my"; distance:0; nocase; content:"master"; distance:0; nocase; content:"waiting"; distance:0; nocase; content:"for"; distance:0; nocase; content:"your"; distance:0; nocase; content:"commands"; distance:0; nocase; flowbits:set,Genie1.7_detection; flowbits:noalert; classtype:trojan-activity; sid:12240; rev:3;)
|
|
# alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR webcenter v1.0 Backdoor - init connection"; flow:to_client,established; file_data; content:"Web Center|3A|"; nocase; http_header; content:"Nom de l ordinateur|3A|"; nocase; http_header; metadata:service http; reference:url,www.megasecurity.org/trojans/w/webcenter/Webcenter1.0.html; classtype:trojan-activity; sid:12239; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - ftp"; flow:to_server,established; flowbits:isset,Theef210_TheefFTP; content:"Theef2.10_"; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12238; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - ftp"; flow:to_client,established; content:"Theef2"; content:"FTP"; distance:0; content:"Server"; distance:0; pcre:"/Theef2\s+FTP\s+Server\x3A/"; flowbits:set,Theef210_TheefFTP; flowbits:noalert; classtype:trojan-activity; sid:12237; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - connect with password"; flow:to_server,established; flowbits:isset,Theef210_Connectionwithpassword; content:"|FA CB D9 D9 EB DE DE D6|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12236; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - connect with password"; flow:to_client,established; content:"|FA CB D9 D9 DD C5 D8 CE D6|"; depth:9; flowbits:set,Theef210_Connectionwithpassword; flowbits:noalert; classtype:trojan-activity; sid:12235; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - connect with no password"; flow:to_client,established; flowbits:isset,Theef210_Connectionwithnopassword; content:"|FC CF D8 D6 98 84 9B 9A|"; depth:8; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2002-071209-4425-99; classtype:trojan-activity; sid:12234; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.10 runtime detection - connect with no password"; flow:to_client,established; content:"|FA CB D9 D9 E5 E1 D6|"; depth:7; flowbits:set,Theef210_Connectionwithnopassword; flowbits:noalert; classtype:trojan-activity; sid:12233; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1357 (msg:"MALWARE-BACKDOOR cobra uploader 1.0 runtime detection"; flow:to_server,established; flowbits:isset,CobraUploader1.0_detection; content:"filebhejdai|7C|"; depth:12; reference:url,www.megasecurity.org/trojans/b/blackcobra/Blackcobra_uploader1.0.html; classtype:trojan-activity; sid:12164; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1357 (msg:"MALWARE-BACKDOOR cobra uploader 1.0 runtime detection"; flow:to_server,established; content:"DIR"; depth:3; offset:3; pcre:"/^(SYS|WIN)DIR$/sm"; flowbits:set,CobraUploader1.0_detection; flowbits:noalert; classtype:trojan-activity; sid:12163; rev:3;)
|
|
# alert tcp $HOME_NET 503 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:to_client,established; flowbits:isset,OptixPROv1.32Screencapture_detection2; content:"SizeIs|AC|"; depth:11; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12162; rev:5;)
|
|
# alert tcp $HOME_NET 503 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:to_client,established; flowbits:isset,OptixPROv1.32Screencapture_detection1; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Screencapture_detection2; flowbits:noalert; classtype:trojan-activity; sid:12161; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 503 (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - screen capturing"; flow:to_server,established; content:"SendACap|AC|"; depth:9; flowbits:set,OptixPROv1.32Screencapture_detection1; flowbits:noalert; classtype:trojan-activity; sid:12160; rev:3;)
|
|
# alert tcp $HOME_NET 502 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - keylogging"; flow:to_client,established; content:"inc|AC|"; depth:4; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12159; rev:6;)
|
|
# alert tcp $HOME_NET 501 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:to_client,established; flowbits:isset,OptixPROv1.32Upload_detection2; content:"FileSizeIs|AC|"; depth:11; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12158; rev:4;)
|
|
# alert tcp $HOME_NET 501 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:to_client,established; flowbits:isset,OptixPROv1.32Upload_detection1; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Upload_detection2; flowbits:noalert; classtype:trojan-activity; sid:12157; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 501 (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - upload file"; flow:to_server,established; content:"InfoOn|AC|"; depth:7; flowbits:set,OptixPROv1.32Upload_detection1; flowbits:noalert; classtype:trojan-activity; sid:12156; rev:3;)
|
|
# alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - download file"; flow:to_client,established; flowbits:isset,OptixPROv1.32Download_detection2; content:"+OK RCVD|0D 0A|"; depth:10; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12155; rev:4;)
|
|
# alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - download file"; flow:to_client,established; flowbits:isset,OptixPROv1.32Download_detection1; content:"+OK REDY|0D 0A|"; depth:10; flowbits:set,OptixPROv1.32Download_detection2; flowbits:noalert; classtype:trojan-activity; sid:12154; rev:4;)
|
|
# alert tcp $HOME_NET 500 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - download file"; flow:to_client,established; content:" |0D 0A|"; depth:3; flowbits:set,OptixPROv1.32Download_detection1; flowbits:noalert; classtype:trojan-activity; sid:12153; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix pro v1.32 runtime detection - init connection"; flow:to_client,established; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"v1.32"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!|0D 0A|"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=1189; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076768; classtype:trojan-activity; sid:12152; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cafeini 1.0 runtime detection"; flow:to_client,established; flowbits:isset,CAFEiNi_detection; content:"INIPACK"; depth:7; nocase; reference:url,www.spywareguide.com/spydet_904_cafeini.html; classtype:trojan-activity; sid:12151; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cafeini 1.0 runtime detection - init connection"; flow:to_client,established; content:"|FF FD 03 FF FD 18 FF FD 1F|"; depth:9; flowbits:set,CAFEiNi_detection; flowbits:noalert; classtype:trojan-activity; sid:12150; rev:3;)
|
|
# alert tcp $HOME_NET 54320 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection"; flow:to_client,established; flowbits:isset,BackOrifice2006_1.1.5_detection; content:"|00 00 00|"; depth:3; content:"|CD C3 13|7|04|"; within:5; distance:1; reference:url,www.salama.tn/backorifice.htm; reference:url,www.spywareguide.com/product_show.php?id=1945; classtype:trojan-activity; sid:12149; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 54320 (msg:"MALWARE-BACKDOOR back orifice 2006 - v1.1.5 runtime detection - init connection"; flow:to_server,established; content:"|00 00 00|"; depth:3; content:"|CD C3 13|7"; within:4; distance:1; flowbits:set,BackOrifice2006_1.1.5_detection; flowbits:noalert; classtype:trojan-activity; sid:12148; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection"; flow:to_client,established; flowbits:isset,BlueEye1.0b_detection; dsize:3; content:"SUC"; reference:url,secunia.com/virus_information/11032/blueye-a/; reference:url,www.spywareguide.com/spydet_816_blue_eye_1_0b.html; classtype:trojan-activity; sid:12147; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR blue eye 1.0b runtime detection - init connection"; flow:to_server,established; content:"AUTH"; depth:4; flowbits:set,BlueEye1.0b_detection; flowbits:noalert; classtype:trojan-activity; sid:12146; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-BACKDOOR access remote pc runtime detection - rpc setup"; flow:to_client,established; flowbits:isset,AccessRemotePC_RPCdetection; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Access%20Remote%20PC&threatid=29373; classtype:trojan-activity; sid:12145; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR access remote pc runtime detection - rpc setup"; flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_RPCdetection; flowbits:noalert; classtype:trojan-activity; sid:12144; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR access remote pc runtime detection - init connection"; flow:to_client,established; flowbits:isset,AccessRemotePC_detection; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Access%20Remote%20PC&threatid=29373; classtype:trojan-activity; sid:12143; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR access remote pc runtime detection - init connection"; flow:to_server,established; content:"|99 F3 00 00 00 00 00 00 FF FF FF FF|"; depth:12; flowbits:set,AccessRemotePC_detection; flowbits:noalert; classtype:trojan-activity; sid:12142; rev:3;)
|
|
# alert tcp $HOME_NET 58008 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR tron runtime detection - init connection"; flow:to_client,established; flowbits:isset,Tron_Initconnection; content:"<THETIMEIS>"; depth:11; nocase; reference:url,www.megasecurity.org/trojans/t/tron/Tron.html; classtype:trojan-activity; sid:12055; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 58008 (msg:"MALWARE-BACKDOOR tron runtime detection - init connection - flowbit set"; flow:to_server,established; content:"<SYSTMTIME>"; depth:11; nocase; flowbits:set,Tron_Initconnection; flowbits:noalert; classtype:trojan-activity; sid:12054; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR trail of destruction 2.0 runtime detection - get system info"; flow:to_server,established; content:"_Get_Sys_Info_"; depth:14; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076564; classtype:trojan-activity; sid:12053; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR the[x] 1.2 runtime detection - execute command"; flow:to_client,established; content:"000The[X]Server"; depth:15; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074872; classtype:trojan-activity; sid:12052; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ultimate rat 2.1 runtime detection"; flow:to_client,established; content:"|01 00 00 02|WordUP"; depth:10; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060550; classtype:trojan-activity; sid:12051; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 610 (msg:"MALWARE-BACKDOOR supervisor plus runtime detection"; flow:to_server,established; flowbits:isset,SupervisorPlus_detection; content:"<A "; depth:3; nocase; pcre:"/^\x3c\x41\x20.*\x3b\x5c\x5c.*\x5cSV\x24\x5c\x3e\x3c/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453109596; classtype:trojan-activity; sid:11954; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 610 (msg:"MALWARE-BACKDOOR supervisor plus runtime detection"; flow:to_server,established; content:"L"; depth:1; nocase; content:"|00|"; depth:1; offset:3; pcre:"/^L\d\d\x00/smi"; flowbits:set,SupervisorPlus_detection; flowbits:noalert; classtype:trojan-activity; sid:11953; rev:3;)
|
|
# alert udp $HOME_NET 3262 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR winshadow runtime detection - udp response"; flow:to_client; content:"|03 00 00 00 01 00 02 00 00 00 00 00|"; depth:12; offset:5; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060036; classtype:trojan-activity; sid:11952; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR winshadow runtime detection - init connection request"; flow:to_server,established; content:"@|11 00 00 00 00 00 00 1C 00 00 00 10 00 03 00 00 00 01 00 02 00|"; depth:22; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060036; classtype:trojan-activity; sid:11951; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7896 (msg:"MALWARE-BACKDOOR lame rat v1.0 runtime detection"; flow:established; content:"MESSAGE + "; depth:10; nocase; content:" + windows"; distance:0; nocase; reference:url,www.megasecurity.org/trojans/l/lamerat/Lamerat1.0.html; classtype:trojan-activity; sid:11949; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5712 (msg:"MALWARE-BACKDOOR sohoanywhere runtime detection"; flow:to_server,established; flowbits:isset,Sohoanywhere_Init; content:"RFB 003.004|0A|"; depth:12; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060132; classtype:trojan-activity; sid:11323; rev:5;)
|
|
# alert tcp $HOME_NET 5712 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR sohoanywhere runtime detection"; flow:to_client,established; content:"RFB 003.003|0A|"; depth:12; nocase; flowbits:set,Sohoanywhere_Init; flowbits:noalert; classtype:trojan-activity; sid:11322; rev:5;)
|
|
# alert udp $HOME_NET any -> 255.255.255.255 5053 (msg:"MALWARE-BACKDOOR netwindow runtime detection - udp broadcast"; flow:to_server; content:"NWHOST"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11321; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5051 (msg:"MALWARE-BACKDOOR netwindow runtime detection - reverse mode init connection request"; flow:to_server,established; content:"NWHOST"; depth:6; nocase; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11320; rev:5;)
|
|
# alert tcp $HOME_NET 5050 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netwindow runtime detection - init connection request"; flow:to_client,established; content:"|1B 00 00 00|"; depth:4; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=NetWindow&threatid=43584; classtype:trojan-activity; sid:11319; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 19820 -> $HOME_NET any (msg:"MALWARE-BACKDOOR boer runtime detection - init connection"; flow:to_client,established; content:"EMSG0006"; depth:8; nocase; reference:url,soft.myboer.cn; classtype:trojan-activity; sid:11318; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR abremote pro 3.1 runtime detection - init connection"; flow:to_client,established; content:"&&**"; depth:4; dsize:<100; reference:url,www.heibai.net/download/Soft/Soft_6836.htm; classtype:trojan-activity; sid:11317; rev:8;)
|
|
# alert tcp $HOME_NET 1115 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lurker 1.1 runtime detection - init connection"; flow:to_client,established; content:"|0D|Lurker"; depth:7; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077370; classtype:trojan-activity; sid:11316; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR shadownet remote spy 2.0 runtime detection"; flow:to_client,established; content:"ShadowNet"; nocase; content:"Remote"; distance:0; nocase; content:"Web"; distance:0; nocase; content:"Based"; distance:0; nocase; content:"Spyware"; distance:0; nocase; pcre:"/ShadowNet\s+Remote\s+Web\s+Based\s+Spyware/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081042; classtype:trojan-activity; sid:11314; rev:6;)
|
|
# alert tcp $HOME_NET 12667 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR winicabras 1.1 runtime detection - explorer"; flow:to_client,established; flowbits:isset,Winicabras_explorer; content:"DRIVE"; depth:5; nocase; reference:url,www.megasecurity.org/trojans/w/winicabras/Winicabras1.1.html; classtype:trojan-activity; sid:10463; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12667 (msg:"MALWARE-BACKDOOR winicabras 1.1 runtime detection - explorer"; flow:to_server,established; content:"DRIVE"; depth:5; nocase; flowbits:set,Winicabras_explorer; flowbits:noalert; classtype:trojan-activity; sid:10462; rev:4;)
|
|
# alert tcp $HOME_NET 3132 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR winicabras 1.1 runtime detection - get system info"; flow:to_client,established; flowbits:isset,Winicabras_getinfo; content:"|0D 0A|==INFORMACION"; depth:15; nocase; reference:url,www.megasecurity.org/trojans/w/winicabras/Winicabras1.1.html; classtype:trojan-activity; sid:10461; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3132 (msg:"MALWARE-BACKDOOR winicabras 1.1 runtime detection - get system info"; flow:to_server,established; content:"000"; depth:3; flowbits:set,Winicabras_getinfo; flowbits:noalert; classtype:trojan-activity; sid:10460; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wineggdrop shell pro runtime detection - init connection"; flow:to_client,established; content:"WinEggDropShell"; depth:15; offset:28; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077750; classtype:trojan-activity; sid:10459; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5024 (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 or illusion runtime detection - open file manager"; flow:to_server,established; content:"[LOAD DRIVE DATA]"; depth:17; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10458; rev:5;)
|
|
# alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - start keylogger"; flow:to_client,established; content:"LogStarted"; depth:10; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10457; rev:7;)
|
|
# alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - get system info"; flow:to_client,established; flowbits:isset,XZTOO_Getinfo; content:"Info|3B|"; depth:5; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10456; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5600 (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - get system info"; flow:to_server,established; content:"GetInfo"; depth:7; nocase; flowbits:set,XZTOO_Getinfo; flowbits:noalert; classtype:trojan-activity; sid:10455; rev:4;)
|
|
# alert tcp $HOME_NET 5600 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR [x]-ztoo 1.0 runtime detection - init connection"; flow:to_client,established; content:"Connected"; depth:9; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084134; classtype:trojan-activity; sid:10454; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR zalivator 1.4.2 pro runtime detection - smtp notification"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"|28 29|"; distance:0; nocase; content:"DivXProGainBundle"; nocase; content:"Registration"; distance:0; nocase; pcre:"/^Subject\x3a[^\r\n]*\x28\x29/smi"; pcre:"/DivXProGainBundle\s+registration/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084203; classtype:trojan-activity; sid:10453; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR only 1 rat runtime detection - control command"; flow:to_server,established; flowbits:isset,Only1RAT_Control; content:"|7C FF 00 FF 00 FF 00 FF 00 FF 00 FF 0D 0A|"; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Only%201%20RAT&threatid=40632; classtype:trojan-activity; sid:10451; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR only 1 rat runtime detection - control command"; flow:to_client,established; content:"D41D8CD98F00B204E9800998ECF8427E"; depth:34; flowbits:set,Only1RAT_Control; flowbits:noalert; classtype:trojan-activity; sid:10450; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR acid shivers runtime detection - init telnet connection"; flow:to_client,established; content:"|1B|[2J|1B|[40m|1B|[37mAcid"; depth:18; nocase; content:"Shiver"; distance:0; nocase; content:"System"; distance:0; nocase; content:"Release"; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=112; classtype:trojan-activity; sid:10449; rev:6;)
|
|
# alert tcp $HOME_NET 2612 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR acessor 2.0 runtime detection - init connection"; flow:to_client,established; content:"connect_"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/a/acessor/Acessor2.0.html; classtype:trojan-activity; sid:10448; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"MALWARE-BACKDOOR acidbattery 1.0 runtime detection - get server info"; flow:to_server,established; content:"SERVER/NFO"; depth:10; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10446; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"MALWARE-BACKDOOR acidbattery 1.0 runtime detection - get password"; flow:to_server,established; content:"PSWD/GET"; depth:8; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10445; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"MALWARE-BACKDOOR acidbattery 1.0 runtime detection - open ftp serice"; flow:to_server,established; content:"FTP-ON"; depth:6; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10444; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32418 (msg:"MALWARE-BACKDOOR acidbattery 1.0 runtime detection - sniff info"; flow:to_server,established; content:"SNIFF/"; depth:6; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=109; classtype:trojan-activity; sid:10443; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR nirvana 2.0 runtime detection - explore c drive"; flow:to_server,established; dsize:<20; content:"|AC|kC|3A 5C|"; reference:url,www.megasecurity.org/trojans/n/nirvana/Nirvana2.0.html; classtype:trojan-activity; sid:10442; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Wordpress backdoor theme.php code execution"; flow:to_server,established; content:"wp-includes/theme.php"; nocase; http_uri; content:"iz="; nocase; http_uri; pcre:"/wp-includes\x2Ftheme\x2Ephp\x3F[^\r\n]*iz=/Ui"; metadata:impact_flag red, service http; reference:bugtraq,22797; reference:cve,2007-1277; reference:url,wordpress.org/development/2007/03/upgrade-212/; reference:url,www.securityfocus.com/archive/1/461794; classtype:trojan-activity; sid:10197; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Wordpress backdoor feed.php code execution"; flow:to_server,established; content:"wp-includes/feed.php"; nocase; http_uri; content:"ix="; nocase; http_uri; pcre:"/wp-includes\x2Ffeed\x2Ephp\x3F[^\r\n]*ix=/Ui"; metadata:impact_flag red, service http; reference:bugtraq,22797; reference:cve,2007-1277; reference:url,wordpress.org/development/2007/03/upgrade-212/; reference:url,www.securityfocus.com/archive/1/461794; classtype:trojan-activity; sid:10196; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR x-door runtime detection"; flow:to_server,established; content:"[XShell Backdoor"; nocase; content:"xshell>"; distance:0; nocase; reference:url,www.xfocus.net/tools/200610/1197.html; classtype:trojan-activity; sid:10185; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wow 23 runtime detection"; flow:to_client,established,no_stream; content:"R|00|23"; depth:4; detection_filter:track by_src, count 3, seconds 300; reference:url,www.megasecurity.org/trojans/0_9/23/23_0.3.html; classtype:trojan-activity; sid:10184; rev:8;)
|
|
# alert udp $EXTERNAL_NET 1275 -> $HOME_NET 1276 (msg:"MALWARE-BACKDOOR matrix 1.03 by mtronic runtime detection - init connection"; content:"RequestConnect"; depth:14; reference:url,www.megasecurity.org/trojans/m/matrix/Matrix1.03.html; classtype:trojan-activity; sid:10169; rev:6;)
|
|
# alert tcp $HOME_NET 201 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR one runtime detection"; flow:to_client,established; content:"OK "; depth:16; nocase; reference:url,www.megasecurity.org/trojans/o/one/One0.12b.html; classtype:trojan-activity; sid:10168; rev:7;)
|
|
# alert tcp $HOME_NET 8812 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR rix3 1.0 runtime detection - init connection"; flow:to_client,established; content:"connected"; depth:9; nocase; reference:url,www.megasecurity.org/trojans/r/rix3/Rix3_1.0.html; classtype:trojan-activity; sid:10112; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection - init connection"; flow:to_client,established; flowbits:isset,PoisonIvy_init; content:"U|8B EC|P|B8 02 00 00 00 81 C4 04 F0 FF FF|"; depth:15; reference:url,www.megasecurity.org/trojans/p/poisonivy/Poisonivy2.1.2.html; classtype:trojan-activity; sid:10111; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR poison ivy 2.1.2 runtime detection"; flow:to_client,established; content:"|F6 13 00 00|"; depth:4; flowbits:set,PoisonIvy_init; flowbits:noalert; classtype:trojan-activity; sid:10110; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR k-msnrat 1.0.0 runtime detection - init connection"; flow:to_client,established; content:"SndInfo"; depth:7; nocase; reference:url,www.megasecurity.org/trojans/k/kmsnrat/Kmsnrat1.0.0.html; classtype:trojan-activity; sid:10109; rev:6;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR icmp cmd 1.0 runtime detection - pskill"; itype:0; content:"pskill"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10108; rev:6;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR icmp cmd 1.0 runtime detection - pslist"; itype:0; content:"pslist"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10107; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hav-rat 1.1 runtime detection - retrieve pc info"; flow:to_server,established; flowbits:isset,HavRat_pcinfo2; content:"StartPage|3A|"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/h/hav/Havrat1.0.html; classtype:trojan-activity; sid:10105; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hav-rat 1.1 runtime detection"; flow:to_server,established; flowbits:isset,HavRat_pcinfo1; content:"User|3A|"; depth:5; nocase; flowbits:set,HavRat_pcinfo2; flowbits:noalert; classtype:trojan-activity; sid:10104; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hav-rat 1.1 runtime detection"; flow:to_client,established; content:"getinfo"; depth:7; nocase; flowbits:set,HavRat_pcinfo1; flowbits:noalert; classtype:trojan-activity; sid:10103; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR crossfires trojan 3.0 runtime detection - chat with victim"; flow:to_server,established; content:"chat|7C|"; depth:5; nocase; reference:url,www.megasecurity.org/trojans/c/crossfires/Crossfires.html; classtype:trojan-activity; sid:10102; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR crossfires trojan 3.0 runtime detection - delete file"; flow:to_server,established; content:"delete|7C|"; depth:7; nocase; reference:url,www.megasecurity.org/trojans/c/crossfires/Crossfires.html; classtype:trojan-activity; sid:10101; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR sun shadow 1.70 runtime detection - keep alive"; flow:to_server,established; content:"|FF 01 03 03 00 00 00 00|"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/s/sunshadow/Sunshadow1.7.0.html; classtype:trojan-activity; sid:9839; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR sun shadow 1.70 runtime detection - init connection"; flow:to_client,established; flowbits:isset,Backdoor.SunShadow.Init; content:"|FF 01 01 03 00 00 00 00|"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/s/sunshadow/Sunshadow1.7.0.html; classtype:trojan-activity; sid:9838; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR sun shadow 1.70 runtime detection - init connection"; flow:to_server,established; content:"|FF 01 01 01 80 00 00 00|"; depth:8; nocase; flowbits:set,Backdoor.SunShadow.Init; flowbits:noalert; classtype:trojan-activity; sid:9837; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - crazy mouse"; flow:to_server,established; content:"MOUSE"; depth:5; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9836; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - swap mouse"; flow:to_server,established; content:"OTHER"; depth:5; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9835; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - black screen"; flow:to_server,established; content:"BLACK"; depth:5; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9834; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - fake delete harddisk message"; flow:to_server,established; content:"DELEHARD"; depth:8; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9833; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1254 (msg:"MALWARE-BACKDOOR ieva 1.0 runtime detection - send message"; flow:to_server,established; content:"ASKGAY"; depth:6; nocase; reference:url,www.www.megasecurity.org/trojans/i/ieva/Ieva1.0.html; classtype:trojan-activity; sid:9832; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 16454 (msg:"MALWARE-BACKDOOR superra runtime detection - issue remote control command"; flow:to_server,established; content:"|05 00 00|"; depth:3; offset:1; classtype:trojan-activity; sid:9667; rev:6;)
|
|
# alert tcp $HOME_NET 16454 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR superra runtime detection - success init connection"; flow:to_client,established; content:"{|05 00 00|"; depth:4; classtype:trojan-activity; sid:9666; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR crossbow 1.12 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Backdoor.Crossbow.Init; content:"SrvDtl|7C|"; depth:7; nocase; reference:url,www.megasecurity.org/trojans/c/crossbow/Crossbow1.12.html; classtype:trojan-activity; sid:9665; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR crossbow 1.12 runtime detection"; flow:to_client,established; content:"SrvDtl"; depth:6; nocase; flowbits:set,Backdoor.Crossbow.Init; flowbits:noalert; classtype:trojan-activity; sid:9664; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection - start remote shell"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Remoteshell; content:"|23|[shellrs]"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9663; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection"; flow:to_client,established; content:"|24|[shellgo]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Remoteshell; flowbits:noalert; classtype:trojan-activity; sid:9662; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection - show processes"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Showprocesses; content:"|23|[shwproc]"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9661; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection"; flow:to_client,established; content:"|24|[proclst]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Showprocesses; flowbits:noalert; classtype:trojan-activity; sid:9660; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection - file manage"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Filemanager; content:"|23|[showuni]"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9659; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection"; flow:to_client,established; content:"|24|[showuni]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Filemanager; flowbits:noalert; classtype:trojan-activity; sid:9658; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Backdoor.Bersek.Init; content:"|23|[version]1.0"; depth:13; nocase; reference:url,www.megasecurity.org/trojans/b/bersek/Bersek1.0.html; classtype:trojan-activity; sid:9657; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bersek 1.0 runtime detection"; flow:to_client,established; content:"|24|[version]"; depth:10; nocase; flowbits:set,Backdoor.Bersek.Init; flowbits:noalert; classtype:trojan-activity; sid:9656; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR apofis 1.0 runtime detection - remote controlling"; flow:to_client,established; flowbits:isset,Backdoor.Apofis.Remotecontrol; content:"Troyano"; nocase; content:"Apofis"; distance:0; nocase; pcre:"/Troyano\s+Apofis\s+1\x2E0/smi"; reference:url,www.megasecurity.org/trojans/a/apofis/Apofis1.0.html; classtype:trojan-activity; sid:9655; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR apofis 1.0 runtime detection - remote controlling"; flow:to_server,established; content:"?&sesion="; nocase; flowbits:set,Backdoor.Apofis.Remotecontrol; flowbits:noalert; classtype:trojan-activity; sid:9654; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR zxshell runtime detection - setting information retrieve"; flow:to_client,established; file_data; content:"[zxconfig]"; nocase; content:"MyIP="; nocase; content:"Port="; nocase; content:"Password="; nocase; content:"Banner="; nocase; content:"BackConnect="; nocase; content:"ServerID="; nocase; content:"LocalPort="; nocase; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081617; classtype:trojan-activity; sid:8549; rev:10;)
|
|
# alert tcp $HOME_NET 4000 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR zzmm 2.0 runtime detection - init connection"; flow:to_client,established; flowbits:isset,Backdoor.ZZMM.InitConnect; content:"Attached"; nocase; content:"through"; distance:0; nocase; content:"port"; distance:0; nocase; pcre:"/^Attached\s+through\s+port\x3a/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453054345; classtype:trojan-activity; sid:8548; rev:6;)
|
|
# alert tcp $HOME_NET 4000 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR zzmm 2.0 runtime detection - init connection"; flow:to_client,established; content:"Connected"; depth:9; nocase; content:"to"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"at"; distance:0; nocase; pcre:"/^Connected\s+to\s+Server\s+at\x3a/smi"; flowbits:set,Backdoor.ZZMM.InitConnect; flowbits:noalert; classtype:trojan-activity; sid:8547; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR black curse 4.0 runtime detection - normal init connection"; flow:to_server,established; dsize:<50; content:"|7C|48|7C|0|7C|0|7C|"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/b/blackcurse/Blackcurse4.0.html; classtype:trojan-activity; sid:8362; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR black curse 4.0 runtime detection - inverse init connection"; flow:to_client,established; dsize:<50; content:"0^0^0^"; depth:6; nocase; reference:url,www.megasecurity.org/trojans/b/blackcurse/Blackcurse4.0.html; classtype:trojan-activity; sid:8361; rev:7;)
|
|
# alert tcp $HOME_NET 2421 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR x2a runtime detection - init connection"; flow:to_client,established; content:"connected"; depth:9; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084136; classtype:trojan-activity; sid:8079; rev:6;)
|
|
# alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mithril runtime detection - get process list"; flow:to_client,established; flowbits:isset,Mithril_GetProcessList; content:"|BD F8 B3 CC|ID|BA C5 A3 BA| "; depth:20; nocase; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8078; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1327 (msg:"MALWARE-BACKDOOR mithril runtime detection - get process list"; flow:to_server,established; content:"pslist|0A|"; depth:7; nocase; flowbits:set,Mithril_GetProcessList; flowbits:noalert; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8077; rev:4;)
|
|
# alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mithril runtime detection - get system information"; flow:to_client,established; flowbits:isset,Mithril_GetSystemInformation; content:"|BC C6 CB E3 BB FA C3 FB A3 BA|"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8076; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1327 (msg:"MALWARE-BACKDOOR mithril runtime detection - get system information"; flow:to_server,established; content:"sysinfo|0A|"; depth:8; nocase; flowbits:set,Mithril_GetSystemInformation; flowbits:noalert; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8075; rev:4;)
|
|
# alert tcp $HOME_NET 1327 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mithril runtime detection - init connection"; flow:to_client,established; content:"|CE DE B7 A8 B4 F2 BF AA B5 BD D6 F7 BB FA B5 C4 C1 AC BD D3| |D4 DA B6 CB BF DA| 1327 |3A| |C1 AC BD D3 CA A7 B0 DC|"; depth:43; nocase; reference:url,www.megasecurity.org/trojans/m/mithril/Mithril1.45.html; classtype:trojan-activity; sid:8074; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1111 (msg:"MALWARE-BACKDOOR xbkdr runtime detection"; flow:to_server,established; content:"|7C|"; depth:1; offset:3; pcre:"/^(?=[abchimoprswx])(acs|bin|c(ap|ls)|h(di|ms|tb)|iex|m(oo|tx|ws)|opn|pwr|rst|s(h[di]|ms|tb|wm)|wrd|xls)\x7C/smi"; reference:url,www.megasecurity.org/trojans/x/x-bkdr/X-bkdr1.4.html; classtype:trojan-activity; sid:7822; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nightcreature beta 0.01 runtime detection"; flow:to_client,established; content:"<consol>---------------------------------------------<consol>Connected to NightCreature server"; nocase; reference:url,opensc.ws/showthread.php?t=31; classtype:trojan-activity; sid:7821; rev:5;)
|
|
# alert tcp $HOME_NET 146 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR infector v1.0 runtime detection - init conn"; flow:to_client,established; flowbits:isset,back.infector.v1.0.conn.1; content:"FC'S TROJAN"; depth:11; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075657; classtype:trojan-activity; sid:7818; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 146 (msg:"MALWARE-BACKDOOR infector v1.0 runtime detection - init conn"; flow:to_server,established; content:"FC "; depth:3; nocase; flowbits:set,back.infector.v1.0.conn.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075657; classtype:trojan-activity; sid:7817; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR darkmoon reverse connection detection - cts"; flow:to_server,established; flowbits:isset,darkmoon_reverse_stc; content:"DmInf"; depth:5; nocase; pcre:"/^DmInf\x5E[^\r\n]*\d+\x2E\d+\x2E\d+\x2E\d+\x5E/smi"; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7816; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR darkmoon reverse connection detection - stc"; flow:to_client,established; content:"0^0^0^"; depth:6; flowbits:set,darkmoon_reverse_stc; flowbits:noalert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7815; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR darkmoon initial connection detection - stc"; flow:to_client,established; flowbits:isset,darkmoon_initial_cts; content:"|7C|Connected"; depth:10; nocase; content:"with|3A|"; distance:0; nocase; pcre:"/^\x7CConnected with\x3A\s+\d+\x2E\d+.\d+.\d+/smi"; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7814; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR darkmoon initial connection detection - cts"; flow:to_server,established; content:"|7C|55|7C|0|7C|0|7C 7C|"; depth:9; flowbits:set,darkmoon_initial_cts; flowbits:noalert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=Trojan.Backdoor.Darkmoon&threatid=41348; reference:url,securityresponse.symantec.com/avcenter/venc/auto/index/indexD.html; classtype:trojan-activity; sid:7813; rev:4;)
|
|
# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR abacab runtime detection - banner"; flow:to_client,established; flowbits:isset,Abacab; content:"|00| |23 23 23| |23 23 23| |23| __...--'' ___...--_..' .|3B|.' |3B 0D 0A|"; nocase; content:"CONNECTION|3A 0D 0A| |0D 0A|Veuillez entrer le mot de passe|0D 0A 00|"; distance:0; nocase; reference:url,megasecurity.org/trojans/a/abacab/Abacab0.9beta.html; classtype:trojan-activity; sid:7812; rev:6;)
|
|
# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR abacab runtime detection - telnet initial"; flow:to_client,established; content:" |0D 0A|Vous etes connecte a|3A 0D 0A 0D 0A 00|"; flowbits:set,Abacab; flowbits:noalert; reference:url,megasecurity.org/trojans/a/abacab/Abacab0.9beta.html; classtype:trojan-activity; sid:7811; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nuclear uploader 1.0 runtime detection"; flow:to_client,established; content:"libManager.dll"; nocase; content:"get"; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079457; classtype:trojan-activity; sid:7810; rev:5;)
|
|
# alert tcp $HOME_NET 6666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload"; flow:to_client,established; flowbits:isset,fatalwound_upload; content:"Send File -~-"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7809; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"MALWARE-BACKDOOR fatal wound 1.0 runtime detection - upload"; flow:to_server,established; content:"File Name -~-"; nocase; flowbits:set,fatalwound_upload; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1065; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7808; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"MALWARE-BACKDOOR fatal wound 1.0 runtime detection - execute file"; flow:to_server,established; content:"Execute -~-"; nocase; reference:url,attack.mitre.org/techniques/T1065; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7807; rev:6;)
|
|
# alert tcp $HOME_NET 6666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fatal wound 1.0 runtime detection - initial connection"; flow:to_client,established; content:"00000"; nocase; content:"-~-"; distance:0; nocase; pcre:"/^00000\s+-~-\s+/smi"; reference:url,attack.mitre.org/techniques/T1065; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077104; classtype:trojan-activity; sid:7806; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4201 (msg:"MALWARE-BACKDOOR war trojan ver1.0 runtime detection - disable ctrl+alt+del"; flow:to_server,established; content:"disablectrlaltdel"; depth:17; reference:url,www.symantec.com/avcenter/attack_sigs/s20290.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746; classtype:trojan-activity; sid:7804; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4201 (msg:"MALWARE-BACKDOOR war trojan ver1.0 runtime detection - send messages"; flow:to_server,established; content:"text|3A|"; depth:5; reference:url,www.symantec.com/avcenter/attack_sigs/s20290.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075746; classtype:trojan-activity; sid:7803; rev:5;)
|
|
# alert udp $HOME_NET 10167 -> $EXTERNAL_NET 10220 (msg:"MALWARE-BACKDOOR portal of doom runtime detection - udp stc"; flow:to_client; content:"KeepAlive"; depth:9; nocase; reference:url,megasecurity.org/trojans/p/portalofdoom/Portalofdoom3.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4684; classtype:trojan-activity; sid:7802; rev:7;)
|
|
# alert udp $EXTERNAL_NET 10220 -> $HOME_NET 10167 (msg:"MALWARE-BACKDOOR portal of doom runtime detection - udp cts"; flow:to_server; content:"pod"; depth:3; nocase; reference:url,megasecurity.org/trojans/p/portalofdoom/Portalofdoom3.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4684; classtype:trojan-activity; sid:7801; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9401 (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - file manage 2"; flow:to_server,established; flowbits:isset,InCommand_17_FileManager_2; content:"PASS InClientMainPassword"; depth:25; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7800; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9401 (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - file manage 2"; flow:to_server,established; content:"USER inc"; depth:8; flowbits:set,InCommand_17_FileManager_2; flowbits:noalert; classtype:trojan-activity; sid:7799; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 148 (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - file manage 1"; flow:to_server,established; flowbits:isset,InCommand_17_FileManager_1; content:"PASS InClientMainPassword"; depth:25; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7798; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 148 (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - file manage 1"; flow:to_server,established; content:"USER inc"; depth:8; flowbits:set,InCommand_17_FileManager_1; flowbits:noalert; classtype:trojan-activity; sid:7797; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - init connection"; flow:to_client,established; flowbits:isset,InCommand_17_InitConnection; content:"PASSOK"; reference:url,www.spywareguide.com/product_show.php?id=1637; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojan-activity; sid:7796; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR incommand 1.7 runtime detection - init connection"; flow:to_server,established; content:"ACS "; depth:4; flowbits:set,InCommand_17_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7795; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR fraggle rock 2.0 lite runtime detection - pc info - flowbit set"; flow:to_server,established; content:"updateinfo"; depth:10; nocase; flowbits:set,backdoor.fraggle.rock.2.0.lite.pc.info; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077120; classtype:trojan-activity; sid:7794; rev:4;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote anything 5.11.22 runtime detection - chat with attacker"; content:"RA Chat|00 00|"; depth:9; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7793; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR remote anything 5.11.22 runtime detection - chat with victim"; content:"RA Chat|00 00|"; depth:9; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7792; rev:5;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote anything 5.11.22 runtime detection - victim response"; content:"RA Broadcast|00|"; depth:13; reference:url,www.spywareguide.com/product_show.php?id=1567; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076440; classtype:trojan-activity; sid:7791; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR forced control uploader runtime detection directory listing - server to client"; flow:to_client,established; dsize:6; content:"KSPDIR"; depth:6; classtype:trojan-activity; sid:7789; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR forced control uploader runtime detection directory listing - client to server"; flow:to_server,established; dsize:4; content:"KRP0"; depth:4; classtype:trojan-activity; sid:7788; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR forced control uploader runtime detection - connection with password"; flow:to_client,established; dsize:5; content:"PWDok"; depth:5; classtype:trojan-activity; sid:7785; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection - file manager"; flow:to_client,established; flowbits:isset,NetDevil_FileManager; content:"get_drives_done"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7783; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection - file manager - flowbit set"; flow:to_server,established; content:"get_drives"; nocase; flowbits:set,NetDevil_FileManager; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453087652; classtype:trojan-activity; sid:7782; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR elfrat runtime detection - initial connection"; flow:to_client,established; content:"|01|elfRAT|04|"; nocase; reference:url,www.megasecurity.org/trojans/e/elf/Elfrat1.2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=55224; classtype:trojan-activity; sid:7778; rev:6;)
|
|
# alert tcp $HOME_NET 7080 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - get drives"; flow:to_client,established; flowbits:isset,Messiah_GetDrives; content:"GET///Drives"; depth:12; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7777; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7080 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - get drives - flowbit set"; flow:to_server,established; content:"GET///Drives**"; depth:14; flowbits:set,Messiah_GetDrives; flowbits:noalert; classtype:trojan-activity; sid:7776; rev:5;)
|
|
# alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - screen capture"; flow:to_server,established; flowbits:isset,Messiah_ScreenCaptureA; content:"Downloadscreen|7C|"; depth:15; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7775; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - screen capture - flowbit set"; flow:established; content:"getscreen|7C|"; depth:10; flowbits:set,Messiah_ScreenCaptureA; flowbits:noalert; classtype:trojan-activity; sid:7774; rev:4;)
|
|
# alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger"; flow:to_server,established; flowbits:isset,Messiah_EnableKeyloggerA; content:"kcaption|7C|"; depth:9; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7773; rev:6;)
|
|
alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - enable keylogger - flowbit set"; flow:established; content:"enablekey|7C|"; depth:10; flowbits:set,Messiah_EnableKeyloggerA; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:7772; rev:5;)
|
|
# alert tcp $HOME_NET 876 -> $EXTERNAL_NET 877 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - get server info"; flow:to_server,established; flowbits:isset,Messiah_GetServerInfoA; content:"serverinformation|7C|"; depth:18; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077400; classtype:trojan-activity; sid:7771; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 877 -> $HOME_NET 876 (msg:"MALWARE-BACKDOOR messiah 4.0 runtime detection - get server info - flowbit set"; flow:established; content:"getserverinfo|7C|"; depth:14; flowbits:set,Messiah_GetServerInfoA; flowbits:noalert; classtype:trojan-activity; sid:7770; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR data rape runtime detection - execute program server-to-client"; flow:to_client,established; content:"000File"; depth:7; nocase; content:"executed..."; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076909; classtype:trojan-activity; sid:7769; rev:6;)
|
|
# alert tcp $HOME_NET 6767 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - foldermonitor server-to-client"; flow:to_client,established; flowbits:isset,NT_Remote_Controller_2000_FolderMonitor; content:"FolderMonitor|3B|"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7767; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - foldermonitor client-to-server"; flow:to_server,established; content:"|3B|FolderMonitor"; nocase; flowbits:set,NT_Remote_Controller_2000_FolderMonitor; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7766; rev:4;)
|
|
# alert tcp $HOME_NET 6767 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - sysinfo server-to-client"; flow:to_client,established; flowbits:isset,NT_Remote_Controller_2000_Sysinfo1; content:"SystemInfo|3B|"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7765; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - sysinfo client-to-server"; flow:to_server,established; content:"|3B|SystemInfo"; nocase; flowbits:set,NT_Remote_Controller_2000_Sysinfo1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7764; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6767 (msg:"MALWARE-BACKDOOR nt remote controller 2000 runtime detection - services client-to-server"; flow:to_server,established; content:"|3B|ServicesStatus"; nocase; pcre:"/^\x3BServicesStatus\x3B(All|Active|Inactive)Services/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075691; classtype:trojan-activity; sid:7763; rev:5;)
|
|
# alert udp $HOME_NET [1234,2018] -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netthief runtime detection"; content:"|00 00 00 00 00 00 00 82|"; depth:8; offset:17; reference:url,www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=16078; classtype:trojan-activity; sid:7760; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR glacier runtime detection - screen capture"; flow:to_server,established; content:"|F5 CA C7 C7 C6 F5 C8 C8 CE C7 F5|"; depth:11; reference:url,www.symantec.com/avcenter/attack_sigs/s20302.html; classtype:trojan-activity; sid:7759; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR glacier runtime detection - initial connection and directory browse"; flow:to_server,established; content:"|F5 CB C9 CF C6 F5 C8 C8 CE C7 F5|"; depth:11; content:"|F5 D5 D1 D5 F5|"; distance:0; reference:url,www.symantec.com/avcenter/attack_sigs/s20302.html; classtype:trojan-activity; sid:7758; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - spy function"; flow:to_client,established; flowbits:isset,BuschTrommel_SpyFunction2; content:"{FTPL}"; depth:6; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=20757; classtype:trojan-activity; sid:7755; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 2"; flow:to_client,established; flowbits:isset,BuschTrommel_SpyFunction1; content:"{PLTS}"; depth:6; flowbits:set,BuschTrommel_SpyFunction2; flowbits:noalert; classtype:trojan-activity; sid:7754; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - spy function - flowbit set 1"; flow:to_server,established; content:"GETIT"; depth:5; flowbits:set,BuschTrommel_SpyFunction1; flowbits:noalert; classtype:trojan-activity; sid:7753; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,BuschTrommel_InitConnection2; content:"*VER1.22|28|REI|29|"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=20757; classtype:trojan-activity; sid:7752; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 2"; flow:to_server,established; flowbits:isset,BuschTrommel_InitConnection1; content:"ver"; depth:3; flowbits:set,BuschTrommel_InitConnection2; flowbits:noalert; classtype:trojan-activity; sid:7751; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buschtrommel 1.22 runtime detection - initial connection - flowbit set 1"; flow:to_client,established; content:"*PASS*"; depth:6; flowbits:set,BuschTrommel_InitConnection1; flowbits:noalert; classtype:trojan-activity; sid:7750; rev:6;)
|
|
# alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bobo 1.0 runtime detection - send message"; flow:to_client,established; flowbits:isset,BoBo_SendMessages; content:"Message shown.|00|finish line|00|"; depth:27; reference:url,www.spywareguide.com/product_show.php?id=1531; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076842; classtype:trojan-activity; sid:7749; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"MALWARE-BACKDOOR bobo 1.0 runtime detection - send message - flowbit set"; flow:to_server,established; content:"Send Message"; depth:12; flowbits:set,BoBo_SendMessages; flowbits:noalert; classtype:trojan-activity; sid:7748; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"MALWARE-BACKDOOR bobo 1.0 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,BoBo_InitConnection; content:"zdorovo"; depth:7; reference:url,www.spywareguide.com/product_show.php?id=1531; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076842; classtype:trojan-activity; sid:7747; rev:5;)
|
|
# alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bobo 1.0 runtime detection - initial connection - flowbit set"; flow:to_client,established; content:"Password|3A|"; depth:9; flowbits:set,BoBo_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7746; rev:5;)
|
|
# alert tcp $HOME_NET 7410 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR phoenix 2.1 runtime detection"; flow:to_client,established; flowbits:isset,Phoenix_InitConnection; content:"The Phoenix is ready"; depth:20; reference:url,www.spywareguide.com/product_show.php?id=977; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079790; classtype:trojan-activity; sid:7745; rev:6;)
|
|
# alert tcp $HOME_NET 7410 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR phoenix 2.1 runtime detection - flowbit set"; flow:to_client,established; content:"MSG00020"; depth:8; flowbits:set,Phoenix_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7744; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR nova 1.0 runtime detection - cgi notification server-to-client"; flow:to_client,established; flowbits:isset,nova_cgi_cts; file_data; content:"# Nova CGI Notification Script"; fast_pattern:only; metadata:impact_flag red, service http; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7743; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nova 1.0 runtime detection - initial connection with pwd set"; flow:to_client,established; flowbits:isset,nova_conn_1; content:"ClientsConnected"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7741; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nova 1.0 runtime detection - initial connection with pwd set - flowbit set"; flow:to_client,established; content:"Passed"; depth:6; nocase; flowbits:set,nova_conn_1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073030; classtype:trojan-activity; sid:7740; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4444 (msg:"MALWARE-BACKDOOR alexmessomalex runtime detection - grab"; flow:to_server,established; content:"grab|3A|"; depth:5; nocase; reference:url,www.megasecurity.org/trojans/a/alexmessomalex/Alexmessomalex_b2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45547; classtype:trojan-activity; sid:7739; rev:6;)
|
|
# alert tcp $HOME_NET 4444 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alexmessomalex runtime detection - initial connection"; flow:to_client,established; content:"accept|3A|"; depth:7; nocase; reference:url,www.megasecurity.org/trojans/a/alexmessomalex/Alexmessomalex_b2.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=45547; classtype:trojan-activity; sid:7738; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bionet 4.05 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,BioNet4_05_BE; content:"!|00 00 00|&|01 01 00 01|KA"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7735; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bionet 4.05 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"|05 00 00 00|1|00 01 00 01 FD 12 00|"; depth:12; flowbits:set,BioNet4_05_BE; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072406; classtype:trojan-activity; sid:7734; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 5005 -> $HOME_NET any (msg:"MALWARE-BACKDOOR outbreak_0.2.7 runtime detection - initial connection"; flow:to_client,established; content:"CON"; nocase; pcre:"/^CON\w{1,10}\d+\xAE[^\r\n]{1,20}\x3B/smi"; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7733; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5005 (msg:"MALWARE-BACKDOOR outbreak_0.2.7 runtime detection - ring client-to-server"; flow:to_server,established; flowbits:isset,outbreak_ring_stc; content:"SINFO"; nocase; content:"PONG"; distance:0; nocase; pcre:"/^SINFO\x3B[^\r\n]{1,20}\x3BPONG\x3B/smi"; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7732; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 5005 -> $HOME_NET any (msg:"MALWARE-BACKDOOR outbreak_0.2.7 runtime detection - ring server-to-client"; flow:to_client,established; content:"SINFO"; nocase; pcre:"/^SINFO\x3B\d+\x3B/smi"; flowbits:set,outbreak_ring_stc; flowbits:noalert; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7731; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5005 (msg:"MALWARE-BACKDOOR outbreak_0.2.7 runtime detection - reverse connection"; flow:to_server,established; content:"Sin"; nocase; pcre:"/^Sin[^\r\n]*\/[^\r\n]*\x0D\x0A\d+\x0D\x0A/smi"; reference:url,www.megasecurity.org/trojans/o/outbreak/Outbreak0.2.7.html; classtype:trojan-activity; sid:7730; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR radmin runtime detection - server-to-client"; flow:to_client,established; flowbits:isset,Radmin; content:"|01 00 00 00|%|00 00 01 10 08 01 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:46; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:7729; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR radmin runtime detection - client-to-server"; flow:to_server,established; content:"|01 00 00 00 01 00 00 00 08 08|"; depth:10; flowbits:set,Radmin; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:7728; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR reversable ver1.0 runtime detection - execute command"; flow:to_server,established; flowbits:isset,ReVerSaBle_ExecuteCommand; content:"COMMENFile"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/r/reversable/Reversable1.0.html; classtype:trojan-activity; sid:7727; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR reversable ver1.0 runtime detection - execute command - flowbit set"; flow:to_client,established; content:"EXECUT"; depth:6; flowbits:set,ReVerSaBle_ExecuteCommand; flowbits:noalert; classtype:trojan-activity; sid:7726; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR reversable ver1.0 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"PORT="; depth:5; content:"Victim="; distance:0; pcre:"/^PORT\x3D\d+\x2AVictim\x3D/"; classtype:trojan-activity; sid:7724; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wollf runtime detection"; flow:to_client,established; content:"Wollf"; fast_pattern; nocase; content:"Remote"; distance:0; nocase; content:"Manager"; distance:0; nocase; pcre:"/^\x22Wollf\s+Remote\s+Manager\x22\s+v\d+\x2E\d+\x0d\x0a/smi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.wollf.16.html; classtype:trojan-activity; sid:7723; rev:5;)
|
|
# alert tcp $HOME_NET 5110 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR prorat 1.9 initial connection detection"; flow:to_client,established; content:"Sifre_Korumasi"; depth:14; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.prorat.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453082779; classtype:trojan-activity; sid:7721; rev:6;)
|
|
# alert tcp $HOME_NET 7250 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR desktop scout runtime detection"; flow:to_client,established; content:"DTS-300|0D 0A|"; depth:9; nocase; reference:url,www.spywareguide.com/product_show.php?id=927; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074737; classtype:trojan-activity; sid:7720; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR dameware mini remote control runtime detection - initial connection"; flow:to_server,established; flowbits:isset,DameWareMiniRemoteControl_InitConnection; content:"0|11 00 00 00 00 00 00|333333|13|@|00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:30; reference:url,www.spywareguide.com/product_show.php?id=925; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060041; classtype:trojan-activity; sid:7719; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dameware mini remote control runtime detection - initial connection - flowbit set"; flow:to_client,established; content:"0|11 00 00|"; depth:4; content:"333333|13|@"; offset:8; flowbits:set,DameWareMiniRemoteControl_InitConnection; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=925; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060041; classtype:trojan-activity; sid:7718; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR snake trojan runtime detection"; flow:to_client,established; content:"The"; depth:3; nocase; content:"Snake"; distance:0; nocase; content:"Trojan"; distance:0; nocase; pcre:"/^The\s+Snake\s+Trojan/smi"; reference:url,www.spywareguide.com/product_show.php?id=643; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078423; classtype:trojan-activity; sid:7717; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection"; flow:to_client,established; flowbits:isset,backdoor.NetDevil.conn.step2; content:"ver"; nocase; pcre:"/^ver\d+\x2E\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7716; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection - flowbit set 2"; flow:to_server,established; flowbits:isset,backdoor.NetDevil.conn.step1; content:"version"; depth:7; nocase; flowbits:set,backdoor.NetDevil.conn.step2; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7715; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netdevil runtime detection - flowbit set 1"; flow:to_client,established; content:"passed"; depth:6; nocase; flowbits:set,backdoor.NetDevil.conn.step1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1516; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=27557; classtype:trojan-activity; sid:7714; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR Amitis v1.3 runtime detection - email notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"Amitis"; distance:0; content:"1.3"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Server"; distance:0; nocase; content:"information"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*Amitis\s+1\x2E3.*Subject\x3A[^\r\n]*Server\s+information/smi"; metadata:impact_flag red, service smtp; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075097; classtype:trojan-activity; sid:7713; rev:6;)
|
|
# alert tcp $HOME_NET 33229 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Amitis runtime detection victim to attacker"; flow:to_client,established; content:"["; depth:1; content:"]|0D 0A|"; within:25; pcre:"/^\[[a-z]{4,22}\]/si"; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072405; classtype:trojan-activity; sid:7712; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 33229 (msg:"MALWARE-BACKDOOR Amitis runtime command detection attacker to victim"; flow:to_server,established; content:"["; depth:1; content:"]|0D 0A|"; within:25; pcre:"/^\[[a-z]{4,22}\]/si"; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=669; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072405; classtype:trojan-activity; sid:7711; rev:6;)
|
|
# alert tcp $HOME_NET 8811 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,Fear15_conn.2; content:"Drive"; nocase; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7710; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8811 (msg:"MALWARE-BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set"; flow:to_server,established; flowbits:isset,Fear15_conn.1; content:"listdrives"; nocase; flowbits:set,Fear15_conn.2; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7709; rev:4;)
|
|
# alert tcp $HOME_NET 8811 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fear1.5/aciddrop1.0 runtime detection - initial connection - flowbit set"; flow:to_client,established; content:"connected"; nocase; flowbits:set,Fear15_conn.1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/fear/Fear1.5a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:7708; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"MALWARE-BACKDOOR omniquad instant remote control runtime detection - file transfer setup"; flow:to_server,established; content:"Welcome"; nocase; content:"to"; distance:0; nocase; content:"the"; distance:0; nocase; content:"Omniquad"; distance:0; nocase; content:"File"; distance:0; nocase; content:"Transfer"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/Welcome\s+to\s+the\s+Omniquad\s+File\s+Transfer\s+Server/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080053; classtype:trojan-activity; sid:7707; rev:5;)
|
|
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR omniquad instant remote control runtime detection - initial connection"; flow:to_client,established; flowbits:isset,Omniquad_IRC_InitConnection; content:"|00 00 00|h|FF|SMB%|00 00 00|"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080053; classtype:trojan-activity; sid:7706; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-BACKDOOR omniquad instant remote control runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"Instant"; nocase; content:"Remote"; distance:0; nocase; content:"Control"; distance:0; nocase; content:"Service"; distance:0; nocase; pcre:"/Instant\s+Remote\s+Control\s+Service/smi"; flowbits:set,Omniquad_IRC_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7705; rev:6;)
|
|
# alert tcp $HOME_NET 1111 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR roach 1.0 runtime detection - remote control actions"; flow:to_client,established; flowbits:isset,Roach_RemoteControlActions; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=950; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075964; classtype:trojan-activity; sid:7703; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1111 (msg:"MALWARE-BACKDOOR roach 1.0 runtime detection - remote control actions - flowbit set"; flow:to_server,established; content:"|A2 D0 D4 D6 DF C1 E1 D5 D6 DC BB DC CE D7|"; depth:14; flowbits:set,Roach_RemoteControlActions; flowbits:noalert; classtype:trojan-activity; sid:7702; rev:6;)
|
|
# alert tcp $HOME_NET 3100 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR brain wiper runtime detection - chat"; flow:to_client,established; flowbits:isset,BrAin_Wiper_Chat; content:"Chat dialog opened"; depth:18; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7701; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3100 (msg:"MALWARE-BACKDOOR brain wiper runtime detection - chat - flowbit set"; flow:to_server,established; content:"ChatCHA"; depth:7; flowbits:set,BrAin_Wiper_Chat; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7700; rev:4;)
|
|
# alert tcp $HOME_NET 3100 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR brain wiper runtime detection - launch application"; flow:to_client,established; flowbits:isset,BrAin_Wiper_LaunchApplication; content:"Program Launched"; depth:16; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7699; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3100 (msg:"MALWARE-BACKDOOR brain wiper runtime detection - launch application - flowbit set"; flow:to_server,established; content:"APP"; flowbits:set,BrAin_Wiper_LaunchApplication; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=903; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068367; classtype:trojan-activity; sid:7698; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hanky panky 1.1 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,hanky_conn2; content:"spas"; depth:4; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7697; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 2"; flow:to_server,established; flowbits:isset,hanky_conn1; content:"spas1|3A|"; depth:6; nocase; flowbits:set,hanky_conn2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7696; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hanky panky 1.1 runtime detection - initial connection - flowbit set 1"; flow:to_client,established; content:"spass|3A|"; depth:6; nocase; flowbits:set,hanky_conn1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077209; classtype:trojan-activity; sid:7695; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-BACKDOOR exception 1.0 runtime detection - notification"; flow:to_server,established; content:"ip="; nocase; http_uri; content:"port="; nocase; http_uri; content:"id=Exception"; nocase; http_uri; content:"ver=Exception"; nocase; http_uri; content:"pass="; nocase; http_uri; content:"os="; nocase; http_uri; content:"conn="; nocase; http_uri; content:"cpu="; nocase; http_uri; content:"user="; nocase; http_uri; metadata:service http; reference:url,www.megasecurity.org/trojans/e/exception/Exception1.0b1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077099; classtype:trojan-activity; sid:7692; rev:7;)
|
|
# alert tcp $EXTERNAL_NET 9999 -> $HOME_NET any (msg:"MALWARE-BACKDOOR evade runtime detection - file manager"; flow:to_client,established; flowbits:isset,Evade_File_Manager1; content:"FRESH +"; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7691; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 9999 (msg:"MALWARE-BACKDOOR evade runtime detection - file manager - flowbit set"; flow:to_server,established; content:"DRIVECHANGE +"; flowbits:set,Evade_File_Manager1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7690; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR evade runtime detection - initial connection"; flow:to_server,established; content:"IDENTIFY"; depth:8; pcre:"/^IDENTIFY\s+\x23\s+\d+\x2E\d+\x2E\d+\x2E\d+\s+\x23\s+/"; reference:url,www.megasecurity.org/trojans/e/evade/Evade1.1b.html; classtype:trojan-activity; sid:7689; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 5024 -> $HOME_NET any (msg:"MALWARE-BACKDOOR illusion runtime detection - file browser server-to-client"; flow:to_client,established; flowbits:isset,Illusion_File; content:"[DRIVE"; nocase; content:"LIST]"; nocase; pcre:"/\x5BDRIVE\s+LIST\x5D/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7688; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5024 (msg:"MALWARE-BACKDOOR illusion runtime detection - file browser client-to-server"; flow:to_server,established; content:"[LOAD DRIVE DATA]"; flowbits:set,Illusion_File; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7687; rev:4;)
|
|
# alert tcp $EXTERNAL_NET 5024 -> $HOME_NET any (msg:"MALWARE-BACKDOOR illusion runtime detection - get remote info server-to-client"; flow:to_client,established; flowbits:isset,Illusion_Info; content:"023"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7686; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5024 (msg:"MALWARE-BACKDOOR illusion runtime detection - get remote info client-to-server"; flow:to_server,established; content:"104"; depth:3; flowbits:set,Illusion_Info; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077268; classtype:trojan-activity; sid:7685; rev:4;)
|
|
# alert tcp $HOME_NET 567 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hrat 1.0 runtime detection"; flow:to_client,established; content:"hRat"; depth:4; nocase; content:"are"; distance:0; nocase; content:"ready"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"version"; distance:0; nocase; pcre:"/^hRat\s+are\s+ready\s+-\>\s+Server\s+version/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073815; classtype:trojan-activity; sid:7684; rev:6;)
|
|
# alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR acid head 1.00 runtime detection"; flow:to_client,established; flowbits:isset,acid_head_conn_step1; content:"1.6"; depth:3; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=71371; classtype:trojan-activity; sid:7683; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"MALWARE-BACKDOOR acid head 1.00 runtime detection - flowbit set"; flow:to_server,established; content:"TROJAN"; depth:6; nocase; flowbits:set,acid_head_conn_step1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=71371; classtype:trojan-activity; sid:7682; rev:4;)
|
|
# alert tcp $HOME_NET 11977 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cool remote control 1.12 runtime detection - download file"; flow:to_client,established; flowbits:isset,CoolRemoteControl_Download.1; content:"|7C|FILESIZE|7C|"; nocase; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7681; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11977 (msg:"MALWARE-BACKDOOR cool remote control 1.12 runtime detection - download file - flowbit set"; flow:to_server,established; content:"|7C|GETFILE|7C|"; nocase; flowbits:set,CoolRemoteControl_Download.1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7680; rev:4;)
|
|
# alert tcp $HOME_NET 11977 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cool remote control 1.12 runtime detection - upload file"; flow:to_client,established; flowbits:isset,CoolRemoteControl_upload; content:"|7C|COMPLETEPUTFILE|7C|"; nocase; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7679; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 11977 (msg:"MALWARE-BACKDOOR cool remote control 1.12 runtime detection - upload file - flowbit set"; flow:to_server,established; content:"|7C|PUTFILE|7C|"; nocase; flowbits:set,CoolRemoteControl_upload; flowbits:noalert; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7678; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cool remote control or crackdown runtime detection - initial connection"; flow:to_client,established; flowbits:isset,CoolRemoteControl_conn; content:"|7C|DRVS|7C|"; depth:6; nocase; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www.spywareguide.com/product_show.php?id=1495; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7677; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR cool remote control or crackdown runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"|7C|ENUMDRVS|7C|"; depth:10; nocase; flowbits:set,CoolRemoteControl_conn; flowbits:noalert; reference:url,www.megasecurity.org/trojans/c/coolremotecontrol/Coolremotecontrol1.12.html; reference:url,www.spywareguide.com/product_show.php?id=1495; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068314; classtype:trojan-activity; sid:7676; rev:5;)
|
|
# alert tcp $HOME_NET 1001 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote havoc runtime detection"; flow:to_client,established; flowbits:isset,RemoteHAVOC_conn.2; content:"LIST"; nocase; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7675; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1001 (msg:"MALWARE-BACKDOOR remote havoc runtime detection - flowbit set 2"; flow:to_server,established; flowbits:isset,RemoteHAVOC_conn.1; content:"REFR"; depth:4; flowbits:set,RemoteHAVOC_conn.2; flowbits:noalert; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7674; rev:4;)
|
|
# alert tcp $HOME_NET 1001 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote havoc runtime detection - flowbit set 1"; flow:to_client,established; content:"CONN"; depth:4; nocase; flowbits:set,RemoteHAVOC_conn.1; flowbits:noalert; reference:url,www.megasecurity.org/trojans/r/remotehavoc/Remotehavoc3.0.1.html; reference:url,www.spywareguide.com/product_show.php?id=863; classtype:trojan-activity; sid:7673; rev:6;)
|
|
# alert tcp $HOME_NET 32222 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remoter runtime detection - initial connection"; flow:to_client,established; content:"Connected"; nocase; reference:url,www.megasecurity.org/trojans/r/remoter/Remoter.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=53155; classtype:trojan-activity; sid:7672; rev:6;)
|
|
# alert tcp $HOME_NET 19850 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR digital upload runtime detection - chat"; flow:to_client,established; content:"<chat>"; nocase; content:"</chat>"; nocase; pcre:"/\x3Cchat\x3E[^\r\n]*\x3C\x2Fchat\x3E/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068131; classtype:trojan-activity; sid:7671; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 19850 (msg:"MALWARE-BACKDOOR digital upload runtime detection - initial connection"; flow:to_server,established; content:"<password>"; depth:10; nocase; content:"</password>"; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068131; classtype:trojan-activity; sid:7670; rev:5;)
|
|
# alert tcp $HOME_NET 2213 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - capture on port 2213"; flow:to_client,established; flowbits:isset,ScreenControl_capture2213; content:"|00|2|00 00|x|9C ED|"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7669; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2213 (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - capture on port 2213 - flowbit set"; flow:to_server,established; content:"a"; flowbits:set,ScreenControl_capture2213; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7668; rev:6;)
|
|
# alert tcp $HOME_NET 2208 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - capture on port 2208"; flow:to_client,established; flowbits:isset,ScreenControl_conn; content:"/GR"; nocase; pcre:"/\x2FGR\d+\x3B\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7667; rev:7;)
|
|
# alert tcp $HOME_NET 2208 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,ScreenControl_conn; content:"/LO"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7665; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2208 (msg:"MALWARE-BACKDOOR screen control 1.0 runtime detection - flowbit set"; flow:to_server,established; content:"/"; depth:1; content:"R"; depth:1; offset:2; nocase; pcre:"/^\x2F[GL]R/smi"; flowbits:set,ScreenControl_conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072468; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080930; classtype:trojan-activity; sid:7664; rev:6;)
|
|
# alert tcp $HOME_NET 1784 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR snid x2 v1.2 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,Snid_X2_InitConnection; content:"Snid X2 Server"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=1525; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5567; classtype:trojan-activity; sid:7663; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1784 (msg:"MALWARE-BACKDOOR snid x2 v1.2 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"VER "; depth:4; flowbits:set,Snid_X2_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:7662; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR lan filtrator 1.1 runtime detection - initial connection request"; flow:to_client,established; flowbits:isset,LanFiltrator_InitConnectionRequest; content:"id_id"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=887; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074827; classtype:trojan-activity; sid:7661; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lan filtrator 1.1 runtime detection - initial connection request - flowbit set"; flow:to_server,established; content:"|B4 AF 29 AE|LANfiltrator|AE 28 AF|`"; depth:20; flowbits:set,LanFiltrator_InitConnectionRequest; flowbits:noalert; classtype:trojan-activity; sid:7660; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lan filtrator 1.1 runtime detection - sin notification"; flow:to_server,established; content:"pci"; depth:3; content:"|08 08 08 08 08 08 08 08|"; distance:0; reference:url,www.spywareguide.com/product_show.php?id=887; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074827; classtype:trojan-activity; sid:7659; rev:5;)
|
|
# alert tcp $HOME_NET 7777 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR jodeitor 1.1 runtime detection - initial connection"; flow:to_client,established; content:"++Conectado a"; depth:13; reference:url,www.spywareguide.com/product_show.php?id=675; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077303; classtype:trojan-activity; sid:7658; rev:6;)
|
|
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR small uploader 1.01 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,smalluploader_conn; content:"Pass-On"; depth:7; nocase; classtype:trojan-activity; sid:7651; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"MALWARE-BACKDOOR small uploader 1.01 runtime detection - initial connection - flowbit set"; flow:to_server,established; content:"Pass-On"; depth:7; nocase; flowbits:set,smalluploader_conn; flowbits:noalert; classtype:trojan-activity; sid:7650; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"MALWARE-BACKDOOR minicom lite runtime detection - server-to-client"; flow:to_client,established; flowbits:isset,MinicomLite; content:"|04 03 02 01|"; depth:4; nocase; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7649; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-BACKDOOR minicom lite runtime detection - client-to-server"; flow:to_server,established; content:"|04 03 02 01|"; depth:4; nocase; flowbits:set,MinicomLite; flowbits:noalert; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7648; rev:7;)
|
|
# alert udp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"MALWARE-BACKDOOR minicom lite runtime detection - udp"; content:"|04 03 02 01|n|00 00 00|"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/m/minicom/Minicom4.5.html; reference:url,www.spywareguide.com/product_show.php?id=910; classtype:trojan-activity; sid:7647; rev:6;)
|
|
# alert tcp $HOME_NET 667 -> $EXTERNAL_NET 666 (msg:"MALWARE-BACKDOOR snipernet 2.1 runtime detection"; flow:to_client,established; flowbits:isset,snipernet; content:"pingback"; depth:8; nocase; reference:url,www.megasecurity.org/trojans/s/snipernet/Snipernet2.1.html; classtype:trojan-activity; sid:7646; rev:7;)
|
|
# alert tcp $EXTERNAL_NET 666 -> $HOME_NET 667 (msg:"MALWARE-BACKDOOR snipernet 2.1 runtime detection - flowbit set"; flow:to_server,established; content:"cmdping"; depth:7; nocase; flowbits:set,snipernet; flowbits:noalert; reference:url,www.megasecurity.org/trojans/s/snipernet/Snipernet2.1.html; classtype:trojan-activity; sid:7645; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1981 (msg:"MALWARE-BACKDOOR ullysse runtime detection - client-to-server"; flow:to_server,established; content:"L'esclave"; nocase; pcre:"/^\d+L\x27esclave\x09\d+\x09\d+/smi"; reference:url,www.megasecurity.org/trojans/u/ullysse/Ullysse.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075739; classtype:trojan-activity; sid:7644; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netcontrol takeover runtime detection"; flow:to_client,established; content:"answer"; depth:6; nocase; content:"|00 00 00 00 00 00|NetControl.Server"; distance:0; nocase; content:"|22|The"; distance:0; nocase; content:"UNSEEN|22|"; distance:0; nocase; content:"Project"; distance:0; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077485; classtype:trojan-activity; sid:7643; rev:5;)
|
|
# alert tcp $HOME_NET 6116 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR am remote client runtime detection - client response"; flow:to_client,established; flowbits:isset,AM_Remote_Client; content:"|35 01 02|"; depth:3; content:"|01 02|Program Files|01 02|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity; sid:7642; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6116 (msg:"MALWARE-BACKDOOR am remote client runtime detection - client-to-server"; flow:to_server,established; content:"29|01|C:|5C|"; fast_pattern:only; flowbits:set,AM_Remote_Client; metadata:impact_flag red; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity; sid:7641; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Exploit.Backdoor ncph runtime detection - initial connection"; flow:to_client,established; content:"xV4|12 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; depth:24; nocase; metadata:impact_flag red; reference:url,en.wikipedia.org/wiki/Network_Crack_Program_Hacker_Group; classtype:trojan-activity; sid:7638; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch processes list"; flow:to_client,established; flowbits:isset,hornet.4; content:"008"; depth:3; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7636; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch process list - flowbit set"; flow:to_server,established; content:"008g"; depth:4; dsize:4; flowbits:set,hornet.4; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7635; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - irc connection"; flow:to_client,established; flowbits:isset,hornet.3; content:"006cb"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7634; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - irc connection - flowbit set"; flow:to_server,established; content:"006cb"; depth:5; flowbits:set,hornet.3; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7633; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info"; flow:to_client,established; flowbits:isset,hornet.2; content:"007Server"; depth:9; reference:url,www.spywareguide.com/product_show.php?id=1667; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7632; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hornet 1.0 runtime detection - fetch system info - flowbit set"; flow:to_server,established; content:"007r"; depth:4; dsize:4; flowbits:set,hornet.2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073228; classtype:trojan-activity; sid:7631; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR helios 3.1 runtime detection - initial connection"; flow:to_client,established; content:"100|8D|"; depth:4; content:"|8D|3.1|8D|1|8F|"; distance:0; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074473; classtype:trojan-activity; sid:7630; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection"; flow:to_client,established; flowbits:isset,skyrat.4; content:"*portok*"; depth:8; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081105; classtype:trojan-activity; sid:7629; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection - flowbit 4"; flow:to_client,established; flowbits:isset,skyrat.3; content:"*PORT3*"; depth:7; pcre:"/^\x2APORT3\x2A\d+/"; flowbits:set,skyrat.4; flowbits:noalert; classtype:trojan-activity; sid:7628; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection - flowbit 3"; flow:to_client,established; flowbits:isset,skyrat.2; content:"*PORT2*"; depth:7; pcre:"/^\x2APORT2\x2A\d+/"; flowbits:set,skyrat.3; flowbits:noalert; classtype:trojan-activity; sid:7627; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection - flowbit 2"; flow:to_client,established; flowbits:isset,skyrat.1; content:"*PORT1*"; depth:7; pcre:"/^\x2APORT1\x2A\d+/"; flowbits:set,skyrat.2; flowbits:noalert; classtype:trojan-activity; sid:7626; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR skyrat show runtime detection - initial connection - flowbit 1"; flow:to_server,established; content:"*SPORT*"; depth:7; flowbits:set,skyrat.1; flowbits:noalert; classtype:trojan-activity; sid:7625; rev:5;)
|
|
# alert tcp $HOME_NET 7425 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - data connection"; flow:to_client,established; content:"|19 00 C8 00 01 00|"; depth:6; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080063; classtype:trojan-activity; sid:7624; rev:8;)
|
|
# alert tcp $HOME_NET 7424 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - connection request"; flow:to_client,established; flowbits:isset,remote.control.3; content:"|03 00|"; depth:2; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453080063; classtype:trojan-activity; sid:7623; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7424 (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 3"; flow:to_server,established; flowbits:isset,remote.control.2; content:"|1D 00 03 00|"; depth:4; flowbits:set,remote.control.3; flowbits:noalert; classtype:trojan-activity; sid:7622; rev:5;)
|
|
# alert tcp $HOME_NET 7424 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - connection request - flowbit 2"; flow:to_client,established; flowbits:isset,remote.control.1; content:"|10 00|"; depth:2; flowbits:set,remote.control.2; flowbits:noalert; classtype:trojan-activity; sid:7621; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7424 (msg:"MALWARE-BACKDOOR remote control 1.7 runtime detection - connection request flowbit 1"; flow:to_server,established; content:"|0C 00 18 00 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08 01 02 03 04 05 06 07 08|"; depth:28; flowbits:set,remote.control.1; flowbits:noalert; classtype:trojan-activity; sid:7620; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.0 runtime detection - connection request with password"; flow:to_client,established; flowbits:isset,theef20.2; content:"|FA CB D9 D9|"; depth:4; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083786; classtype:trojan-activity; sid:7619; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 2"; flow:to_server,established; flowbits:isset,theef20.1; content:"|FA CB D9 D9 EB DE DE D6 9B 98 99|"; depth:11; flowbits:set,theef20.2; flowbits:noalert; classtype:trojan-activity; sid:7618; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.0 runtime detection - connection request with password - flowbit 1"; flow:to_client,established; content:"|FA CB D9 D9 DD C5 D8 CE D6|"; depth:9; flowbits:set,theef20.1; flowbits:noalert; classtype:trojan-activity; sid:7617; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR theef 2.0 runtime detection - connection without password"; flow:to_client,established; content:"|FA CB D9 D9 E5 E1 D6|"; depth:7; reference:url,www.spywareguide.com/product_show.php?id=859; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083786; classtype:trojan-activity; sid:7616; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - chat"; flow:to_client,established; flowbits:isset,katux20.4; content:"000Chat ouvert..."; depth:17; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7609; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - chat - flowbit set"; flow:to_server,established; content:"07415"; depth:5; flowbits:set,katux20.4; flowbits:noalert; classtype:trojan-activity; sid:7608; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - get system info"; flow:to_client,established; flowbits:isset,katux20.3; content:"001"; depth:3; content:"Version serveur|3A| Katux 2"; distance:0; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7607; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - get system info - flowbit set"; flow:to_server,established; content:"001"; depth:3; flowbits:set,katux20.3; flowbits:noalert; classtype:trojan-activity; sid:7606; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - screen capture"; flow:to_client,established; flowbits:isset,katux20.2; content:"000Ecran captur|E9|, transfert lanc|E9|..."; depth:36; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077310; classtype:trojan-activity; sid:7605; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR katux 2.0 runtime detection - screen capture - flowbit set"; flow:to_server,established; content:"10040"; depth:5; flowbits:set,katux20.2; flowbits:noalert; classtype:trojan-activity; sid:7604; rev:4;)
|
|
# alert udp $HOME_NET 5888 -> $EXTERNAL_NET 5887 (msg:"MALWARE-BACKDOOR y3k 1.2 runtime detection - init connection 2"; flow:to_client; flowbits:isset,Y3K_InitConnection_2; content:"{}"; depth:2; nocase; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7122; rev:7;)
|
|
# alert udp $EXTERNAL_NET 5887 -> $HOME_NET 5888 (msg:"MALWARE-BACKDOOR y3k 1.2 runtime detection"; flow:to_server; content:"login"; depth:5; nocase; flowbits:set,Y3K_InitConnection_2; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7121; rev:6;)
|
|
# alert udp $HOME_NET 5882 -> $EXTERNAL_NET 5881 (msg:"MALWARE-BACKDOOR y3k 1.2 runtime detection - init connection 1"; flow:to_client; flowbits:isset,Y3K_InitConnection_1; content:"C"; depth:1; nocase; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7120; rev:7;)
|
|
# alert udp $EXTERNAL_NET 5881 -> $HOME_NET 5882 (msg:"MALWARE-BACKDOOR y3k 1.2 runtime detection"; flow:to_server; content:"Y3K"; depth:3; nocase; flowbits:set,Y3K_InitConnection_1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=828; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=33151; classtype:trojan-activity; sid:7119; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ghost 2.3 runtime detection"; flow:to_client,established; content:"ver|3A|Ghost version "; depth:18; nocase; content:"server"; distance:0; nocase; pcre:"/^ver\x3aGhost\s+version\s+\d+\x2E\d+\s+server/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/g/ghost/Ghost2.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=42053; classtype:trojan-activity; sid:7115; rev:6;)
|
|
# alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection"; flow:to_client,established; content:"OK|00|1|00|AF&AY|00|pINg_|00|!|28|c|29 23|"; depth:22; nocase; metadata:impact_flag red; reference:url,virustotal.com/en/file/f946e2faf21d7b2efc461e6a96135c1aa2c465485362f461177bca699366cc1f/analysis/; classtype:trojan-activity; sid:7114; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23476 (msg:"MALWARE-BACKDOOR Win.Trojan.DonaldDick variant inbound connection detection"; flow:to_server,established; content:"1|00|AF&AY|00|pINg_|00|!|28|c|29 23|"; depth:19; nocase; metadata:impact_flag red; reference:url,virustotal.com/en/file/f946e2faf21d7b2efc461e6a96135c1aa2c465485362f461177bca699366cc1f/analysis/; classtype:trojan-activity; sid:7113; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fearless lite 1.01 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.fearless.runtime; content:"Pass-On0"; depth:8; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/f/fearless/Fearless_lite1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381; classtype:trojan-activity; sid:7112; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR fearless lite 1.01 runtime detection"; flow:to_server,established; content:"Pass-On"; depth:7; nocase; flowbits:set,backdoor.fearless.runtime; flowbits:noalert; reference:url,www.megasecurity.org/trojans/f/fearless/Fearless_lite1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453078381; classtype:trojan-activity; sid:7111; rev:12;)
|
|
alert tcp $HOME_NET 777 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR undetected runtime detection"; flow:to_client,established; content:"STLUdt v3.3 - "; depth:14; nocase; content:"-|28|udt33vic|29|"; distance:0; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/u/undetected/Undetected3.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=17265; classtype:trojan-activity; sid:7108; rev:6;)
|
|
# alert tcp $HOME_NET 21554 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR girlfriend runtime detection"; flow:to_client,established; flowbits:isset,GirlFriend.1.35.connection; content:"GirlFriend Server"; depth:17; nocase; pcre:"/^GirlFriend\s+Server\s+\d+\x2E\d+\s+\x2E\s+port\s+\d/smi"; reference:url,www.megasecurity.org/trojans/g/girlfriend/GirlFriend1.35_ms.html; reference:url,www.spywareguide.com/product_show.php?id=834; classtype:trojan-activity; sid:7107; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21554 (msg:"MALWARE-BACKDOOR girlfriend runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,GirlFriend.1.35.connection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/g/girlfriend/GirlFriend1.35_ms.html; reference:url,www.spywareguide.com/product_show.php?id=834; classtype:trojan-activity; sid:7106; rev:4;)
|
|
alert tcp $HOME_NET 30029 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR aol admin runtime detection"; flow:to_client,established; content:"AOL Admin Server 1.1 By CHeeSeR"; depth:31; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/a/aoladmin/Aoladmin1.1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=313; classtype:trojan-activity; sid:7105; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 30029 (msg:"MALWARE-BACKDOOR aol admin runtime detection"; flow:to_server,established; content:"INFO"; depth:4; nocase; flowbits:set,AOLAdmin1.1.connection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/a/aoladmin/Aoladmin1.1.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=313; classtype:trojan-activity; sid:7104; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR gwboy 0.92 runtime detection"; flow:to_server,established; content:"|01 0A 02|"; depth:3; flowbits:set,GWBoy_InitConnection1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077181; classtype:trojan-activity; sid:7101; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"MALWARE-BACKDOOR remote hack 1.5 runtime detection - start keylogger"; flow:to_server,established; content:"kstart|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7099; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"MALWARE-BACKDOOR remote hack 1.5 runtime detection - get password"; flow:to_server,established; content:"catasenha|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7098; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"MALWARE-BACKDOOR remote hack 1.5 runtime detection - execute file"; flow:to_server,established; content:"executafile|7C|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7097; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 1480 (msg:"MALWARE-BACKDOOR remote hack 1.5 runtime detection - logon"; flow:to_server,established; content:"logon|7C|"; depth:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.spywareguide.com/product_show.php?id=1523; classtype:trojan-activity; sid:7096; rev:5;)
|
|
alert tcp $HOME_NET 5555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR serveme runtime detection"; flow:to_client,established; content:"ServeMe 1.x"; depth:11; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:url,www.megasecurity.org/trojans/s/serveme/Serveme.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453081036; classtype:trojan-activity; sid:7091; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password server-to-client"; flow:to_client,established; flowbits:isset,sinique_initial_wrg_client-to-server; content:"|B8 9B 93 9D 9A B2 95 9D 98 91 90|"; depth:11; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7090; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR sinique 1.0 runtime detection - initial connection with wrong password -client-to-server"; flow:to_server,established; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 8D 88|"; depth:12; flowbits:set,sinique_initial_wrg_client-to-server; flowbits:noalert; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7089; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR sinique 1.0 runtime detection - initial connection with correct password server-to-client"; flow:to_client,established; flowbits:isset,sinique_initial_crt_client-to-server; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 9D 91 90|"; depth:13; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7088; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR sinique 1.0 runtime detection - initial connection with correct password client-to-server"; flow:to_server,established; content:"|B8 9B 93 9D 9A A2 91 86 9D 92 8D 88|"; depth:12; flowbits:set,sinique_initial_crt_client-to-server; flowbits:noalert; reference:url,www.megasecurity.org/trojans/s/sinique/Sinique1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077730; classtype:trojan-activity; sid:7087; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR erazer v1.1 runtime detection - init connection"; flow:to_server,established; flowbits:isset,Erazer_InitConnection; content:"000Ok"; depth:5; nocase; content:"echter"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/^000Ok\s+echter\s+server\s+\?/smi"; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7086; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR erazer v1.1 runtime detection"; flow:to_client,established; content:"000, Checking..."; depth:16; nocase; flowbits:set,Erazer_InitConnection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7085; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 62358 -> $HOME_NET any (msg:"MALWARE-BACKDOOR erazer v1.1 runtime detection - sin notification"; flow:to_client,established; content:"Erazer"; depth:6; nocase; content:"SIN"; distance:0; nocase; content:"Server"; distance:0; nocase; pcre:"/^Erazer\s+SIN\s+Server/smi"; reference:url,www.megasecurity.org/trojans/e/erazer/Erazer1.1.html; classtype:trojan-activity; sid:7084; rev:7;)
|
|
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mosucker3.0 runtime detection - server-to-client1"; flow:to_client,established; flowbits:isset,MoSucker3_0; content:"KEY="; depth:4; nocase; content:"PASSW="; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=1306; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083782; classtype:trojan-activity; sid:7083; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"MALWARE-BACKDOOR mosucker3.0 runtime detection - client-to-server"; flow:to_server,established; content:"KEY="; depth:4; nocase; content:"Nickname="; distance:0; nocase; pcre:"/^KEY=[^\s]*\s+Nickname=/smi"; flowbits:set,MoSucker3_0; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1306; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083782; classtype:trojan-activity; sid:7082; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 10015 -> $HOME_NET any (msg:"MALWARE-BACKDOOR up and run v1.0 beta runtime detection"; flow:to_client,established; flowbits:isset,up_run_3; content:"EOF"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7081; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 10015 (msg:"MALWARE-BACKDOOR up and run v1.0 beta runtime detection flowbit 3"; flow:to_server,established; flowbits:isset,up_run_2; content:"NEXT"; nocase; flowbits:set,up_run_3; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7080; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 10015 (msg:"MALWARE-BACKDOOR up and run v1.0 beta runtime detection flowbit 2"; flow:to_server,established; flowbits:isset,up_run_1; content:"NEXT"; depth:4; nocase; flowbits:set,up_run_2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7079; rev:5;)
|
|
# alert tcp $EXTERNAL_NET 10015 -> $HOME_NET any (msg:"MALWARE-BACKDOOR up and run v1.0 beta runtime detection flowbit 1"; flow:to_client,established; content:"BOF"; depth:3; nocase; pcre:"/^BOF[a-z]\x3A\x5C/smi"; flowbits:set,up_run_1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088330; classtype:trojan-activity; sid:7078; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bandook 1.0 runtime detection"; flow:to_server,established; content:"&first& "; depth:8; nocase; reference:url,www.nuclearwinter.us/; classtype:trojan-activity; sid:7075; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fraggle rock 2.0 lite runtime detection - pc info"; flow:to_client,established; flowbits:isset,backdoor.fraggle.rock.2.0.lite.pc.info; content:"info"; depth:4; nocase; content:"Information"; distance:0; nocase; pcre:"/^info\s+Information\s+for/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077120; classtype:trojan-activity; sid:7072; rev:7;)
|
|
# alert udp $HOME_NET 47262 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR delta source 0.5 beta runtime detection - pc info"; flow:to_client; content:"Server"; depth:6; nocase; content:"info|3A|"; distance:0; nocase; content:"Delta"; distance:0; nocase; content:"Source"; distance:0; nocase; pcre:"/^Server\s+info\x3A\x0D\x0ADelta\s+Source\s+v\d+\x2E\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=840; classtype:trojan-activity; sid:7069; rev:7;)
|
|
# alert udp $HOME_NET 47262 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR delta source 0.5 beta runtime detection - ping"; flow:to_client; content:"Delta"; depth:5; nocase; content:"Source"; distance:0; nocase; pcre:"/^Delta\s+Source\s+\d+\x2E\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=840; classtype:trojan-activity; sid:7068; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection"; flow:to_server,established; flowbits:isset,backdoor.cybernetic.1.62.rev.conn.2; content:"connect"; depth:7; nocase; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7067; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1"; flow:to_server,established; flowbits:isset,backdoor.cybernetic.1.62.rev.conn.1; content:"DmInf"; depth:5; nocase; pcre:"/^DmInf\^[^\r\n]*\^\d+\x2E\d+\x2E\d+\x2E\d+\^/smi"; flowbits:set,backdoor.cybernetic.1.62.rev.conn.2; flowbits:unset,backdoor.cybernetic.1.62.rev.conn.1; flowbits:noalert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7066; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR cybernetic 1.62 runtime detection - reverse connection flowbit 1"; flow:to_server,established; content:"DmInf"; depth:5; nocase; flowbits:set,backdoor.cybernetic.1.62.rev.conn.1; flowbits:noalert; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7065; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR cybernetic 1.62 runtime detection - email notification"; flow:to_server,established; content:"from|3A|"; nocase; content:"cyber@yahoo.com"; distance:0; nocase; content:"subject|3A|"; nocase; content:"notification"; distance:0; nocase; pcre:"/^from\x3A[^\r\n]*cyber@yahoo\x2Ecom.*subject\x3A[^\r\n]*notification\d+\x2E\d+\x2E\d+\x2E\d+/smi"; metadata:service smtp; reference:url,research.sunbelt-software.com/threat_display.cfm?name=CyberNetic&threatid=41745; classtype:trojan-activity; sid:7064; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - download log flowbit 1"; flow:to_client,established; content:"REQ|7C 24|SYS|24|proc32.dll"; depth:19; nocase; flowbits:set,charon_download_1; flowbits:noalert; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7061; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - download file/log"; flow:to_client,established; flowbits:isset,charon_download_2; content:"SEND|7C|"; depth:5; nocase; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7060; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - download file/log flowbit 2"; flow:to_server,established; flowbits:isset,charon_download_1; content:"FREQ|7C|"; depth:5; nocase; pcre:"/^FREQ\x7C\d+/smi"; flowbits:set,charon_download_2; flowbits:noalert; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7059; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - download file flowbit 1"; flow:to_client,established; content:"REQ|7C|"; depth:4; nocase; pcre:"/^REQ\|[A-Z]\x3A\x5C/smi"; flowbits:set,charon_download_1; flowbits:noalert; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7058; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR charon runtime detection - initial connection"; flow:to_server,established; content:"SI|7C|Server|7C|"; depth:10; nocase; pcre:"/^SI\|Server\|[^\r\n]*\|\d+\x2E\d+\x2E\d+\x2E\d+\|/smi"; reference:url,vil.nai.com/vil/content/v_138997.htm; classtype:trojan-activity; sid:7057; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR omerta 1.3 runtime detection"; flow:to_server,established; flowbits:isset,Omerta_1_3_conn_1; content:"Details|7C|"; depth:8; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.omerta.html; reference:url,www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html; classtype:trojan-activity; sid:6500; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR omerta 1.3 runtime detection"; flow:to_client,established; content:"RequestName|7C|"; depth:12; nocase; flowbits:set,Omerta_1_3_conn_1; flowbits:noalert; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.omerta.html; reference:url,www.antivirusprogram.se/virusinfo/Backdoor.Omerta_4852.html; classtype:trojan-activity; sid:6499; rev:8;)
|
|
# alert tcp $HOME_NET 21554 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR exploiter 1.0 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.exploiter.1.0.conn; content:"Exploiter"; depth:9; nocase; content:"Server"; distance:0; nocase; content:"Port"; distance:0; nocase; pcre:"/^Exploiter\s+Server\s+\d+\x2E\d+\s+\x2E\s+Port\s+\d+/smi"; reference:url,www.spywareguide.com/product_show.php?id=1603; classtype:trojan-activity; sid:6498; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21554 (msg:"MALWARE-BACKDOOR exploiter 1.0 runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,backdoor.exploiter.1.0.conn; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1603; classtype:trojan-activity; sid:6497; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trickler Backdoor-BAC.gen.e runtime detection - post data"; flow:to_server,established; content:"/dat7.php"; nocase; http_uri; content:"User-Agent|3A|"; nocase; http_header; content:"xpsp2"; nocase; http_header; content:"lifeisfine.org"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3A[^\r\n]*xpsp2-\d+.*Host\x3A[^\r\n]*lifeisfine\x2Eorg/smiH"; metadata:impact_flag red, service http; reference:url,vil.mcafeesecurity.com/vil/content/v_138750.htm; classtype:misc-activity; sid:6493; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Trickler Backdoor-BAC.gen.e runtime detection - notification"; flow:to_server,established; content:"/bsrv.php"; nocase; http_uri; content:"lang="; nocase; http_uri; content:"socksport="; fast_pattern; nocase; http_uri; content:"httpport="; nocase; http_uri; metadata:impact_flag red, service http; reference:url,vil.mcafeesecurity.com/vil/content/v_138750.htm; classtype:misc-activity; sid:6492; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR badrat 1.1 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.badrat.1.1.conn; content:"okpass"; depth:6; nocase; reference:url,www.megasecurity.org/trojans/b/badrat/Badrat1.1.html; classtype:trojan-activity; sid:6476; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR badrat 1.1 runtime detection - flowbit set"; flow:to_server,established; content:"badratpass"; depth:10; nocase; flowbits:set,backdoor.badrat.1.1.conn; flowbits:noalert; reference:url,www.megasecurity.org/trojans/b/badrat/Badrat1.1.html; classtype:trojan-activity; sid:6475; rev:4;)
|
|
# alert tcp $HOME_NET 2115 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bugs runtime detection - file manager server-to-client"; flow:to_client,established; flowbits:isset,Bugs_InitConnection; content:"CURDIR "; nocase; reference:url,www.commodon.com/threat/threat-bugs.htm; classtype:trojan-activity; sid:6473; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2115 (msg:"MALWARE-BACKDOOR bugs runtime detection - file manager client-to-server"; flow:to_server,established; content:"CURDIR|0D|"; depth:7; nocase; flowbits:set,Bugs_InitConnection; flowbits:noalert; reference:url,www.commodon.com/threat/threat-bugs.htm; classtype:trojan-activity; sid:6472; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4125 (msg:"MALWARE-BACKDOOR netangel connection client-to-server"; flow:to_server,established; content:"netangel"; depth:8; nocase; reference:url,megasecurity.org/trojans/n/netangel/Netangel1.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086360; classtype:trojan-activity; sid:6402; rev:5;)
|
|
# alert tcp $HOME_NET 5328 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR snowdoor runtime detection server-to-client"; flow:to_client,established; flowbits:isset,snowdoor_cts; content:"DISK"; depth:4; nocase; pcre:"/^DISK[A-z][0-9]/smi"; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.snowdoor.html; reference:url,www.megasecurity.org/trojans/s/snow/Snow1.3.html; classtype:trojan-activity; sid:6401; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5328 (msg:"MALWARE-BACKDOOR snowdoor runtime detection client-to-server"; flow:to_server,established; content:"DISK"; depth:4; nocase; flowbits:set,snowdoor_cts; flowbits:noalert; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.snowdoor.html; reference:url,www.megasecurity.org/trojans/s/snow/Snow1.3.html; classtype:trojan-activity; sid:6400; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR rad 1.2.3 runtime detection"; flow:to_client,established; content:" rad "; depth:6; nocase; content:" >< "; distance:0; pcre:"/^\s\srad\s\d+\x2E\d+\x2E\d+\s\s\x3E\x3C/smi"; reference:url,www.megasecurity.org/trojans/r/rad/Rad1.2.3.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453072457; classtype:trojan-activity; sid:6399; rev:7;)
|
|
# alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR http rat runtime detection - http"; flow:to_client,established; content:"<html><head><title>HTTP_RAT</title>"; nocase; content:"<h3>z0mbie's HTTP_RAT"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076346; classtype:trojan-activity; sid:6398; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR http rat runtime detection - smtp"; flow:to_server,established; content:"from|3A|"; nocase; content:"HTTP_RAT_"; distance:0; nocase; content:"subject|3A|"; distance:0; nocase; content:"there"; distance:0; nocase; content:"is"; distance:0; nocase; content:"a"; distance:0; nocase; content:"HTTPRAT"; distance:0; nocase; content:"waiting"; distance:0; nocase; content:"4"; distance:0; nocase; content:"u"; distance:0; nocase; content:"on"; distance:0; nocase; pcre:"/^FROM\x3A\s+HTTP_RAT_.*SUBJECT\x3A\s+there\s+is\s+a\s+HTTPRAT\s+waiting\s+4\s+u\s+on/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076346; classtype:trojan-activity; sid:6397; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR hatredfriend email notification detection"; flow:to_server,established; content:"From|3A|"; nocase; content:"IP"; distance:0; nocase; content:"Contact"; distance:0; nocase; content:"X-Mailer|3A|"; nocase; content:"EBT"; distance:0; nocase; content:"Reporter"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Vic"; distance:0; nocase; content:"Ip"; distance:0; nocase; content:"Addy"; distance:0; nocase; pcre:"/^From\x3A[^\r\n]*IP\s+Contact.*X-Mailer\x3A[^\r\n]*EBT\s+Reporter.*Subject\x3A[^\r\n]*Vic\s+Ip\s+Addy/smi"; metadata:service smtp; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6339; rev:6;)
|
|
# alert tcp $HOME_NET 18713 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hatredfriend file manage command"; flow:to_client,established; flowbits:isset,backdoor.HatredFriend.cts; content:"[DRIVE"; nocase; content:"LIST]"; distance:0; nocase; pcre:"/\[DRIVE\s+LIST\]\d(\x00[a-zA-Z]\x3A(\s+\[.*\])?)+/smi"; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6338; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 18713 (msg:"MALWARE-BACKDOOR hatredfriend file manage command - set flowbit"; flow:to_server,established; content:"[LOAD"; nocase; content:"DRIVE"; distance:0; nocase; content:"DATA]"; distance:0; nocase; pcre:"/^\[LOAD\s+DRIVE\s+DATA\]/smi"; flowbits:set,backdoor.HatredFriend.cts; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=832; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077215; classtype:trojan-activity; sid:6337; rev:4;)
|
|
# alert tcp $HOME_NET 12624 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR buttman v0.9p runtime detection - remote control"; flow:to_client,established; flowbits:isset,buttman.1; content:"|23|+|0D 0A|"; reference:url,www.spywareguide.com/product_show.php?id=684; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089720; classtype:trojan-activity; sid:6336; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12624 (msg:"MALWARE-BACKDOOR buttman v0.9p runtime detection - remote control - set flowbit"; flow:to_server,established; content:"*?!?"; depth:4; flowbits:set,buttman.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=684; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453089720; classtype:trojan-activity; sid:6335; rev:6;)
|
|
# alert tcp $HOME_NET 11831 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR backlash runtime detection"; flow:to_client,established; content:"BackLash Server"; depth:15; nocase; reference:url,www.spywareguide.com/product_show.php?id=1376; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076823; classtype:trojan-activity; sid:6334; rev:6;)
|
|
# alert tcp $HOME_NET 2583 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR wincrash 2.0 runtime detection"; flow:to_client,established; content:"WinCrash"; depth:8; nocase; content:"Server"; distance:0; nocase; pcre:"/^WinCrash\s+Server\s+\d+\x2E\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084089; classtype:trojan-activity; sid:6333; rev:6;)
|
|
# alert tcp $HOME_NET 1255 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR globalkiller1.0 runtime detection - initial connection"; flow:to_client,established; content:"Conectado"; depth:9; nocase; content:"Yeah!"; distance:0; nocase; pcre:"/^Conectado\s+Yeah\!/smi"; reference:url,www.spywareguide.com/product_show.php?id=1656; classtype:trojan-activity; sid:6332; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 11000 -> $HOME_NET any (msg:"MALWARE-BACKDOOR commando runtime detection - chat server-to-client"; flow:to_client,established; flowbits:isset,Commando; content:"Servidor |3A|"; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6330; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 11000 (msg:"MALWARE-BACKDOOR commando runtime detection - chat client-to-server"; flow:to_server,established; content:"Cliente |3A|"; flowbits:set,Commando; flowbits:noalert; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6329; rev:4;)
|
|
# alert tcp $EXTERNAL_NET 11000 -> $HOME_NET any (msg:"MALWARE-BACKDOOR commando runtime detection - initial connection"; flow:to_client,established; content:"Conectou"; depth:8; reference:url,www.megasecurity.org/trojans/c/comando/Comando.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453068368; classtype:trojan-activity; sid:6328; rev:6;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fucktrojan 1.2 runtime detection - flood"; flow:to_client,established; flowbits:isset,FuckTrojan_flood; content:"Windows"; nocase; content:"Directory"; distance:0; nocase; content:"Flooded"; distance:0; nocase; pcre:"/Windows\s+Directory\s+Flooded/smi"; reference:url,megasecurity.org/trojans/f/fucktrojan/Fucktrojan1.2.html; classtype:trojan-activity; sid:6327; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR fucktrojan 1.2 runtime detection - flood"; flow:to_server,established; content:"Flood"; nocase; flowbits:set,FuckTrojan_flood; flowbits:noalert; classtype:trojan-activity; sid:6326; rev:4;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fucktrojan 1.2 runtime detection - initial connection"; flow:to_client,established; content:"Connected to Server |3A|-|29|"; depth:23; nocase; reference:url,megasecurity.org/trojans/f/fucktrojan/Fucktrojan1.2.html; classtype:trojan-activity; sid:6325; rev:6;)
|
|
# alert tcp $HOME_NET 47221 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR 3xBackdoor runtime detection"; flow:to_client,established; flowbits:isset,bit.3xBackdoorconnection; content:"Raport|3A| serwer aktywny"; depth:22; nocase; reference:url,www.megasecurity.org/trojans/0_9/3xbackdoor/3xbackdoor.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084228; classtype:trojan-activity; sid:6324; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 47221 (msg:"MALWARE-BACKDOOR 3xBackdoor runtime detection - set flowbit"; flow:to_server,established; content:"&raport"; depth:7; nocase; flowbits:set,bit.3xBackdoorconnection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/0_9/3xbackdoor/3xbackdoor.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084228; classtype:trojan-activity; sid:6323; rev:6;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 8012 (msg:"MALWARE-BACKDOOR ptakks2.1 runtime detection - command pattern"; flow:to_server; content:",|3A|,j"; nocase; content:"G,o,,y,"; distance:0; nocase; pcre:"/\x2C\x3A\x2C\x6A[^\r\n]*\x47\x2C\x6F\x2C\x2C\x79\x2C/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6322; rev:7;)
|
|
# alert udp $EXTERNAL_NET 8012 -> $HOME_NET any (msg:"MALWARE-BACKDOOR ptakks2.1 runtime detection - keepalive acknowledgement"; flow:to_client; flowbits:isset,PtakkS_Keepalive; content:",jRj,"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6321; rev:7;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 8012 (msg:"MALWARE-BACKDOOR ptakks2.1 runtime detection - keepalive"; flow:to_server; content:"aComprobar"; nocase; content:"si"; distance:0; nocase; content:"esta"; distance:0; nocase; content:"conectadoa"; distance:0; nocase; pcre:"/\x23\x31\x23aComprobar\s+si\s+esta\s+conectadoa\x232\x23\x233\x23\x23f\x23/smi"; flowbits:set,PtakkS_Keepalive; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453079909; classtype:trojan-activity; sid:6320; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR evilftp runtime detection - init connection"; flow:to_client,established; content:"Welcome to EvilFTP |3A 29|"; fast_pattern:only; metadata:impact_flag red; reference:url,www.spywareguide.com/product_show.php?id=965; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1929; classtype:trojan-activity; sid:6319; rev:6;)
|
|
# alert tcp $HOME_NET 623 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR rtb666 runtime detection"; flow:to_client,established; content:"RTB"; depth:3; nocase; content:"666"; distance:0; nocase; content:"Firewall"; distance:0; nocase; content:"Guarded"; distance:0; nocase; content:"Port"; distance:0; nocase; content:"Your"; distance:0; nocase; content:"IP"; distance:0; nocase; content:"is"; distance:0; nocase; pcre:"/^RTB\s+666\s+v\x2E\d+\x2E\d+\x3B\s+Firewall\s+Guarded\s+Port\x2E\s+Your\s+IP\s+is/smi"; reference:url,www.spywareguide.com/product_show.php?id=1501; classtype:trojan-activity; sid:6318; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - file manager response"; flow:to_client,established; flowbits:isset,NetDemon_FileManager; content:"FILESIZE>"; depth:9; pcre:"/^FILESIZE\x3E[^\r\n]*\x3E\d+/sm"; classtype:trojan-activity; sid:6317; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - file manager request"; flow:to_server,established; content:"GETLIST "; depth:8; pcre:"/^GETLIST\s+[^\r\n]*\n/sm"; flowbits:set,NetDemon_FileManager; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6316; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - open browser response"; flow:to_client,established; flowbits:isset,NetDemon_OpenBrowser; content:"browseropened|0A|"; depth:14; classtype:trojan-activity; sid:6315; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - open browser request"; flow:to_server,established; content:"openbrowser "; depth:12; pcre:"/^openbrowser\s+[^\r\n]*\n/sm"; flowbits:set,NetDemon_OpenBrowser; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6314; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - message response"; flow:to_client,established; flowbits:isset,NetDemon_Msg; content:"WAIT|0A|"; depth:5; classtype:trojan-activity; sid:6313; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - message send"; flow:to_server,established; content:"MSG "; depth:4; pcre:"/^MSG\s+[^\r\n]*\n/sm"; flowbits:set,NetDemon_Msg; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6312; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - initial connection - password accepted"; flow:to_client,established; flowbits:isset,NetDemon_Init2; content:"OKPWD|0A|"; depth:6; classtype:trojan-activity; sid:6311; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - initial connection - password send"; flow:to_server,established; flowbits:isset,NetDemon_Init1; content:"PWD "; pcre:"/^PWD\s+[^\r\n]*\n/sm"; flowbits:set,NetDemon_Init2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6310; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net demon runtime detection - initial connection - password request"; flow:to_client,established; content:"PWD|0A|"; depth:4; flowbits:set,NetDemon_Init1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4029; classtype:trojan-activity; sid:6309; rev:7;)
|
|
# alert tcp $HOME_NET 6660 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lamespy runtime detection - initial connection"; flow:to_client,established; flowbits:isset,bit.LameSpyInitialconnection; content:"cname|3A|"; depth:6; nocase; content:"Command Sendet"; distance:0; nocase; reference:url,www.spywareguide.com/product_show.php?id=1586; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3370; classtype:trojan-activity; sid:6308; rev:6;)
|
|
# alert tcp $HOME_NET 6660 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR lamespy runtime detection - initial connection - set flowbit"; flow:to_client,established; content:"accept|3A|"; depth:7; nocase; flowbits:set,bit.LameSpyInitialconnection; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1586; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3370; classtype:trojan-activity; sid:6307; rev:5;)
|
|
# alert tcp $HOME_NET 6912 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR shit heep runtime detection"; flow:to_client,established; content:"SHIT-HEEP"; depth:9; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5451; classtype:trojan-activity; sid:6306; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1207 (msg:"MALWARE-BACKDOOR softwar shadowthief runtime detection - initial connection"; flow:to_server,established; flowbits:isset,bit.SoftWARShadowThiefInitialconnection; content:"|01|SoftWAR Client|00|"; depth:18; nocase; reference:url,www.megasecurity.org/trojans/s/softwar/Softwar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=19977; classtype:trojan-activity; sid:6305; rev:6;)
|
|
# alert tcp $HOME_NET 1207 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR softwar shadowthief runtime detection - initial connection - set flowbit"; flow:to_client,established; content:"R|00|SoftWAR Server"; depth:16; nocase; flowbits:set,bit.SoftWARShadowThiefInitialconnection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/s/softwar/Softwar.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=19977; classtype:trojan-activity; sid:6304; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cia runtime detection - initial connection"; flow:to_client,established; flowbits:isset,CIA13_conn; content:"passcorrect|3B|"; nocase; content:"CIA"; distance:0; nocase; pcre:"/^passcorrect\x3B\d+\x3B\d+\x3BCIA/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6303; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR cia runtime detection - initial connection - set flowbit"; flow:to_server,established; content:"verifyPASS"; depth:10; flowbits:set,CIA13_conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6302; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR cia 1.3 runtime detection - smtp notification"; flow:to_server,established; content:"From|3A|"; nocase; content:"Im"; distance:0; nocase; content:"Online"; distance:0; nocase; content:"<msn@msn.com>"; distance:0; nocase; content:"Subject|3A|"; nocase; content:"Im"; distance:0; nocase; content:"Version|3A|"; distance:0; nocase; content:"CIA"; distance:0; nocase; content:"1.3"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*Im\s+Online\s+\d+\x2E\d+\x2E\d+\x2E\d+/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076260; classtype:trojan-activity; sid:6301; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR insurrection 1.1.0 runtime detection - initial connection"; flow:to_server,established; content:"Insurrection1"; depth:13; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6299; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR insurrection 1.1.0 runtime detection - reverse connection"; flow:to_server,established; content:"sin"; depth:3; nocase; pcre:"/^sin\d+\x3A[^\r\n]*\x3A\d+\x3A\d+\x3A/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076744; classtype:trojan-activity; sid:6298; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1337 (msg:"MALWARE-BACKDOOR joker ddos v1.0.1 runtime detection - bomb"; flow:to_server,established; flowbits:isset,backdoor.joker.ddos.1.0.conn.2; content:"C2 "; depth:3; nocase; pcre:"/^C2\s\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6295; rev:5;)
|
|
# alert tcp $HOME_NET 1337 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR joker ddos v1.0.1 runtime detection - bomb - second flowbit"; flow:to_client,established; flowbits:isset,backdoor.joker.ddos.1.0.conn.1; content:"M1 "; depth:3; nocase; pcre:"/^M1\s\d+\x2E\d+\x2E\d+\x2E\d+/smi"; flowbits:set,backdoor.joker.ddos.1.0.conn.2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6294; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1337 (msg:"MALWARE-BACKDOOR joker ddos v1.0.1 runtime detection - bomb - initial flowbit"; flow:to_server,established; content:"C1 "; depth:3; nocase; pcre:"/^C1\s\d+\x2E\d+\x2E\d+\x2E\d+/smi"; flowbits:set,backdoor.joker.ddos.1.0.conn.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6293; rev:5;)
|
|
# alert tcp $HOME_NET 1337 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR joker ddos v1.0.1 runtime detection - initial connection"; flow:to_client,established; content:"MV 1.0"; depth:6; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076749; classtype:trojan-activity; sid:6292; rev:6;)
|
|
# alert tcp $HOME_NET 7306 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netspy runtime detection - command pattern server-to-client"; flow:to_client,established; content:"Netspy Version "; fast_pattern:only; reference:url,virustotal.com/en/file/4901d21e08de53f3c7e0e6015b6a84c144494f6802e8efba2c18acf30a375f34/analysis/; classtype:trojan-activity; sid:6290; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7306 (msg:"MALWARE-BACKDOOR netspy runtime detection - command pattern client-to-server"; flow:to_server,established; content:"Netspy Version"; fast_pattern:only; reference:url,virustotal.com/en/file/4901d21e08de53f3c7e0e6015b6a84c144494f6802e8efba2c18acf30a375f34/analysis/; classtype:trojan-activity; sid:6289; rev:5;)
|
|
# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fictional daemon 4.4 runtime detection - ftp"; flow:to_client,established; content:"We"; nocase; content:"got"; distance:0; nocase; content:"this"; distance:0; nocase; content:"GREAT"; distance:0; nocase; content:"Daemon"; distance:0; nocase; content:"Fictional"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/We\s+got\s+this\s+GREAT\s+Daemon.*Fictional\s+Daemon/smi"; metadata:service ftp; reference:url,www.spywareguide.com/product_show.php?id=1159; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074164; classtype:trojan-activity; sid:6288; rev:7;)
|
|
# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fictional daemon 4.4 runtime detection - telent"; flow:to_client,established; content:"We"; nocase; content:"got"; distance:0; nocase; content:"this"; distance:0; nocase; content:"GREAT"; distance:0; nocase; content:"Daemon"; distance:0; nocase; content:"Fictional"; nocase; content:"Daemon"; distance:0; nocase; pcre:"/^We\s+got\s+this\s+GREAT\s+Daemon.*Fictional\s+Daemon/smi"; reference:url,www.spywareguide.com/product_show.php?id=1159; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074164; classtype:trojan-activity; sid:6287; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR antilamer 1.1 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.antilamer1.1.conn; content:"024|C2 E5 F0 F1 E8 FF| |F1 E5 F0 E2 E5 F0 E0| - 1.1"; depth:23; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076222; classtype:trojan-activity; sid:6286; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR antilamer 1.1 runtime detection - set flowbit"; flow:to_server,established; content:"024"; depth:3; nocase; flowbits:set,backdoor.antilamer1.1.conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076222; classtype:trojan-activity; sid:6285; rev:4;)
|
|
# alert tcp $HOME_NET 57341 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netraider 0.0 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.netraider.0.0.runtime; content:"NSServer-sPISPJ99"; depth:17; nocase; reference:url,www.megasecurity.org/trojans/n/netraider/Netraider0.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3979; classtype:trojan-activity; sid:6181; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 57341 (msg:"MALWARE-BACKDOOR netraider 0.0 runtime detection"; flow:to_server,established; content:"NSClient-sPISPJ99"; depth:17; nocase; flowbits:set,backdoor.netraider.0.0.runtime; flowbits:noalert; reference:url,www.megasecurity.org/trojans/n/netraider/Netraider0.0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3979; classtype:trojan-activity; sid:6180; rev:4;)
|
|
# alert tcp $HOME_NET 5400 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bladerunner 0.80 runtime detection"; flow:to_client,established; content:"Blade Runner"; depth:12; nocase; pcre:"/^Blade\s+Runner\s+ver\s+\d+/smi"; reference:url,www.megasecurity.org/trojans/b/bladerunner/BladeRunner0.80a.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=862; classtype:trojan-activity; sid:6179; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR ultimate destruction runtime detection - kill windows client-to-server"; flow:to_server,established; content:"Killwidows|7C|"; depth:11; nocase; reference:url,www.splintersecurity.com; classtype:trojan-activity; sid:6178; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR ultimate destruction runtime detection - kill process client-to-server"; flow:to_server,established; content:"Killpro|7C|"; depth:8; nocase; reference:url,www.splintersecurity.com; classtype:trojan-activity; sid:6177; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR guptachar 2.0 runtime detection"; flow:to_client,established; content:"Server|3A|"; nocase; content:"Guptachar"; distance:0; nocase; pcre:"/^Server\x3A\s+Guptachar\s+\d+\x2E\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073814; classtype:trojan-activity; sid:6176; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection - kill kernel"; flow:to_server,established; content:"krnlkill|0D 0A|"; depth:10; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6175; rev:5;)
|
|
# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection - file explorer"; flow:to_client,established; flowbits:isset,CookieMonster_FileExplorer; content:"ls|01|.|01|..|01|"; depth:8; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6174; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection"; flow:to_server,established; content:"ls|0D 0A|"; depth:4; flowbits:set,CookieMonster_FileExplorer; flowbits:noalert; classtype:trojan-activity; sid:6173; rev:6;)
|
|
# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection - get version info"; flow:to_client,established; flowbits:isset,CookieMonster_GetVersionInfo; content:"Cookie"; content:"Monster"; distance:0; content:"server"; distance:0; content:"engine"; distance:0; pcre:"/Cookie\s+Monster\s+server\s+engine/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084262; classtype:trojan-activity; sid:6172; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR cookie monster 0.24 runtime detection"; flow:to_server,established; content:"ver|0D 0A|"; depth:5; flowbits:set,CookieMonster_GetVersionInfo; flowbits:noalert; classtype:trojan-activity; sid:6171; rev:4;)
|
|
# alert tcp $HOME_NET 2600 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR digital rootbeer runtime detection"; flow:to_client,established; flowbits:isset,backdoor.digital.rootbeer.conn; content:"/NFO,Registered"; depth:15; nocase; content:"Owner|3A|"; distance:0; nocase; content:"|0D 0A|Current"; distance:0; nocase; content:" user|3A|"; distance:0; nocase; pcre:"/^\x2FNFO\x2CRegistered\s+Owner\x3A\s+[^\r\n]*\x0D\x0ACurrent\s+user\x3A\s+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6170; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2600 (msg:"MALWARE-BACKDOOR digital rootbeer runtime detection"; flow:to_server,established; content:"iiiiiiinfo"; depth:10; nocase; flowbits:set,backdoor.digital.rootbeer.conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6169; rev:4;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR unicorn runtime detection - set wallpaper server-to-client"; flow:to_client,established; flowbits:isset,Unicore_SetWallpaper; content:"Wallpaper Changed"; nocase; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6168; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR unicorn runtime detection - set wallpaper client-to-server"; flow:to_server,established; content:"WALLPAPER "; depth:10; nocase; flowbits:set,Unicore_SetWallpaper; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6167; rev:6;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR unicorn runtime detection - initial connection"; flow:to_client,established; content:"Connected to"; depth:12; nocase; pcre:"/^Connected\s+to\s+[^\r\n]*\x28\d+\.\d+\.\d+\.\d+\x29/smi"; reference:url,www.spywareguide.com/product_show.php?id=1506; classtype:trojan-activity; sid:6166; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR psyrat 1.0 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.psyrat.runtime.detection; content:"PsyRAT_10A"; depth:10; nocase; reference:url,www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html; classtype:trojan-activity; sid:6165; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR psyrat 1.0 runtime detection"; flow:to_client,established; content:"GOODPWD"; depth:7; nocase; flowbits:set,backdoor.psyrat.runtime.detection; flowbits:noalert; reference:url,www.megasecurity.org/trojans/p/psyrat/Psyrat1.0.html; classtype:trojan-activity; sid:6164; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR furax 1.0 b2 runtime detection"; flow:to_client,established; content:"|03 00 1C 00 00 00 00 00 01|Furax "; depth:15; nocase; content:"Server|00|"; distance:0; pcre:"/^\x03\x00\x1c\x00\x00\x00\x00\x00\x01Furax\s+\d+\.\d+\w+\s+Server\x00/smi"; reference:url,www.megasecurity.org/trojans/f/furax/Furax1.0b2.html; classtype:trojan-activity; sid:6161; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"MALWARE-BACKDOOR delirium of disorder runtime detection - stop keylogger"; flow:to_server,established; content:"stopklog"; depth:8; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html; classtype:trojan-activity; sid:6160; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6071 (msg:"MALWARE-BACKDOOR delirium of disorder runtime detection - enable keylogger"; flow:to_server,established; content:"enableklog"; depth:10; nocase; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.megasecurity.org/trojans/d/deleriumofdisorder/Deleriumofdisorder.html; classtype:trojan-activity; sid:6159; rev:6;)
|
|
# alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dirtxt runtime detection - view server-to-client"; flow:to_client; flowbits:isset,Dirtxt_View; content:"view"; depth:4; nocase; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6157; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"MALWARE-BACKDOOR dirtxt runtime detection - view client-to-server"; flow:to_server; content:"view"; depth:4; nocase; flowbits:set,Dirtxt_View; flowbits:noalert; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6156; rev:7;)
|
|
# alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dirtxt runtime detection - info server-to-client"; flow:to_client; flowbits:isset,Dirtxt_Info; content:"info"; depth:4; nocase; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6155; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"MALWARE-BACKDOOR dirtxt runtime detection - info client-to-server"; flow:to_server; content:"info"; depth:4; nocase; flowbits:set,Dirtxt_Info; flowbits:noalert; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6154; rev:7;)
|
|
# alert udp $HOME_NET 4950 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dirtxt runtime detection - chdir server-to-client"; flow:to_client; flowbits:isset,Dirtxt_Chdir; content:"chdir "; depth:6; nocase; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6153; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4950 (msg:"MALWARE-BACKDOOR dirtxt runtime detection - chdir client-to-server"; flow:to_server; content:"chdir "; depth:6; nocase; flowbits:set,Dirtxt_Chdir; flowbits:noalert; reference:url,www.spywareguide.com/spydet_1396_dirtxt_trojan.html; classtype:trojan-activity; sid:6152; rev:7;)
|
|
# alert tcp $HOME_NET 33812 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR back attack v1.4 runtime detection"; flow:to_client,established; content:" You"; depth:4; nocase; content:"are"; distance:0; nocase; content:"now"; distance:0; nocase; content:"connected"; distance:0; nocase; content:"to"; distance:0; nocase; content:"an"; distance:0; nocase; content:"BackAtTaCk"; distance:0; nocase; content:"server"; distance:0; nocase; pcre:"/You\s+are\s+now\s+connected\s+to\s+an\s+BackAtTaCk\s+server/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453074438; classtype:trojan-activity; sid:6151; rev:6;)
|
|
# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR netcontrol v1.0.8 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.netcontro.1.0.8.conn; content:"con1.08"; depth:7; nocase; reference:url,www.system-help.com/spyware/netcontrol/; classtype:trojan-activity; sid:6150; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6969 (msg:"MALWARE-BACKDOOR netcontrol v1.0.8 runtime detection"; flow:to_server,established; content:"con"; depth:3; nocase; flowbits:set,backdoor.netcontro.1.0.8.conn; flowbits:noalert; reference:url,www.system-help.com/spyware/netcontrol/; classtype:trojan-activity; sid:6149; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - go to address server-to-client"; flow:to_client,established; flowbits:isset,Mantis_GotoAdress; content:"adressgoneto"; depth:12; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6148; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - go to address client-to-server"; flow:to_server,established; content:"gotoadres"; depth:9; nocase; flowbits:set,Mantis_GotoAdress; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6147; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - sent notify option client-to-server 2"; flow:to_server,established; flowbits:isset,Mantis_Notify2; content:"notifsubject"; depth:12; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6146; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - sent notify option server-to-client"; flow:to_client,established; flowbits:isset,Mantis_Notify1; content:"sendsubject"; depth:11; nocase; flowbits:set,Mantis_Notify2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6145; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR mantis runtime detection - sent notify option client-to-server 1"; flow:to_server,established; content:"notifuin"; depth:8; nocase; flowbits:set,Mantis_Notify1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=3648; classtype:trojan-activity; sid:6144; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666 (msg:"MALWARE-BACKDOOR dark connection inside v1.2 runtime detection"; flow:to_server,established; content:"DCIClient12|0A|"; depth:12; nocase; reference:url,attack.mitre.org/techniques/T1065; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075571; classtype:trojan-activity; sid:6143; rev:6;)
|
|
# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR hellzaddiction v1.0e runtime detection - ftp open"; flow:to_client,established; content:"220 HellzAddiction FTP server."; depth:30; nocase; metadata:service ftp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6142; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR hellzaddiction v1.0e runtime detection - init conn"; flow:to_client,established; content:"R_Server"; depth:8; fast_pattern; nocase; content:"version|3A|"; distance:0; nocase; pcre:"/^R_Server\s+version\x3A\d+\x2E\d+[^\r\n]*R\d+\x2E\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076338; classtype:trojan-activity; sid:6141; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"MALWARE-BACKDOOR clindestine 1.0 runtime detection - get system directory"; flow:to_server,established; content:"system"; depth:6; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6139; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"MALWARE-BACKDOOR clindestine 1.0 runtime detection - get computer info"; flow:to_server,established; content:"info"; depth:4; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6138; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"MALWARE-BACKDOOR clindestine 1.0 runtime detection - capture small screen"; flow:to_server,established; content:"small"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6137; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12566 (msg:"MALWARE-BACKDOOR clindestine 1.0 runtime detection - capture big screen"; flow:to_server,established; content:">>Send Capture"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=1486; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1295; classtype:trojan-activity; sid:6136; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection - delete file"; flow:to_server,established; content:"delete|5C|"; depth:7; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6134; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection - send messages"; flow:to_server,established; content:"sndmsg|5C|"; depth:7; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6133; rev:5;)
|
|
# alert tcp $HOME_NET 13473 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection - get user name"; flow:to_client,established; flowbits:isset,Chupacabra_GetUserName; content:"Current"; nocase; content:"User"; distance:0; nocase; content:"Logged"; distance:0; nocase; pcre:"/^Current\s+User\s+Logged\s+on\x3A/"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6132; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection"; flow:to_server,established; content:"getname"; depth:7; flowbits:set,Chupacabra_GetUserName; flowbits:noalert; classtype:trojan-activity; sid:6131; rev:4;)
|
|
# alert tcp $HOME_NET 13473 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection - get computer name"; flow:to_client,established; flowbits:isset,Chupacabra_GetComputerName; content:"Owner|3A|"; depth:6; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=21339; classtype:trojan-activity; sid:6130; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13473 (msg:"MALWARE-BACKDOOR chupacabra 1.0 runtime detection"; flow:to_server,established; content:"getowner"; depth:8; flowbits:set,Chupacabra_GetComputerName; flowbits:noalert; classtype:trojan-activity; sid:6129; rev:4;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dkangel runtime detection - icmp echo reply client-to-server"; itype:0; content:"This is made by yyt_hac!"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6128; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"MALWARE-BACKDOOR dkangel runtime detection - udp client-to-server"; flow:to_server; content:"This is made by yyt_hac!"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6127; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR dkangel runtime detection - smtp"; flow:to_server,established; flowbits:isset,DKangel_Email; content:"yyt_hac"; nocase; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6126; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR dkangel runtime detection - smtp"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"|BA DA B0 B5 CC EC CA B9| 2.41 "; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*2\x2E41/smi"; flowbits:set,DKangel_Email; flowbits:noalert; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076278; classtype:trojan-activity; sid:6125; rev:6;)
|
|
# alert udp $HOME_NET 10666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ambush 1.0 runtime detection - ping server-to-client"; flow:to_client; flowbits:isset,Ambush_Ping; content:"=======>> AMBUSH v"; depth:18; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=238; classtype:trojan-activity; sid:6124; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 10666 (msg:"MALWARE-BACKDOOR ambush 1.0 runtime detection - ping client-to-server"; flow:to_server; content:"10"; depth:2; nocase; flowbits:set,Ambush_Ping; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=238; classtype:trojan-activity; sid:6123; rev:7;)
|
|
# alert tcp $EXTERNAL_NET 20001 -> $HOME_NET any (msg:"MALWARE-BACKDOOR millenium v1.0 runtime detection"; flow:to_client,established; content:"Millenium 1.0"; fast_pattern:only; dsize:13; reference:url,virustotal.com/en/file/75d1e57605ab02111590b5176aacaf3162910a34853df739fdc3be2ba21d392d/analysis/; classtype:trojan-activity; sid:6122; rev:6;)
|
|
# alert tcp $HOME_NET 1023 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net runner runtime detection - download file server-to-client"; flow:to_client,established; flowbits:isset,NetRunner_Download_File; content:"|08|New File File"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6121; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"MALWARE-BACKDOOR net runner runtime detection - download file client-to-server"; flow:to_server,established; content:"|0D|Download File"; depth:14; nocase; flowbits:set,NetRunner_Download_File; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6120; rev:6;)
|
|
# alert tcp $HOME_NET 1023 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR net runner runtime detection - initial connection server-to-client"; flow:to_client,established; flowbits:isset,NetRunner_Init_Connection; content:"|0F|New Resoltutione"; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6119; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1023 (msg:"MALWARE-BACKDOOR net runner runtime detection - initial connection client-to-server"; flow:to_server,established; content:"|0E|Get Resolution"; depth:15; nocase; flowbits:set,NetRunner_Init_Connection; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077503; classtype:trojan-activity; sid:6118; rev:6;)
|
|
# alert tcp $HOME_NET 50766 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fore v1.0 beta runtime detection - init conn"; flow:to_client,established; flowbits:isset,back.fore.v1.0.conn.1; content:"access ok "; depth:10; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922; classtype:trojan-activity; sid:6117; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 50766 (msg:"MALWARE-BACKDOOR fore v1.0 beta runtime detection - init conn"; flow:to_server,established; content:"access flatboost6302"; depth:20; nocase; flowbits:set,back.fore.v1.0.conn.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086922; classtype:trojan-activity; sid:6116; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR optix 1.32 runtime detection - email notification"; flow:to_server,established; content:"!!!Optix"; nocase; content:"Pro"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"Online!!!"; distance:0; nocase; pcre:"/^\x21{3}Optix\s+Pro\s+v\d+\x2E\d+\s+Server\s+Online\x21{3}/smi"; metadata:service smtp; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6114; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix 1.32 runtime detection - init conn"; flow:to_client,established; flowbits:isset,back.optix.1.32.conn.2; content:"001|AC|Optix"; depth:9; nocase; content:"Pro"; distance:0; nocase; content:"Connected"; distance:0; nocase; content:"Successfully!"; distance:0; nocase; pcre:"/^001\xACOptix\s+Pro\s+v\d+\x2E\d+\s+Connected\s+Successfully\x21/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6113; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR optix 1.32 runtime detection - init conn"; flow:to_server,established; flowbits:isset,back.optix.1.32.conn.1; content:"022|AC|"; depth:4; nocase; flowbits:set,back.optix.1.32.conn.2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6112; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optix 1.32 runtime detection - init conn"; flow:to_client,established; content:" |0D 0A|"; depth:3; nocase; flowbits:set,back.optix.1.32.conn.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453085748; classtype:trojan-activity; sid:6111; rev:6;)
|
|
# alert tcp $HOME_NET 9999 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR forced entry v1.1 beta runtime detection"; flow:to_client,established; content:"ForCed"; depth:6; nocase; content:"EnTrY"; distance:0; nocase; content:"|0D 0A 0D 0A 0D 0A|Connection"; distance:0; nocase; content:" Stable"; distance:0; nocase; pcre:"/^ForCed\s+EnTrY\s+\d+\x2E\d+\x2E\d+\x0D\x0A\x0D\x0A\x0D\x0AConnection\s+Stable/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=2160; classtype:trojan-activity; sid:6110; rev:6;)
|
|
# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dagger v1.1.40 runtime detection"; flow:to_client,established; flowbits:isset,backdoor.dagger.1.1.40.conn; content:"|07 00 00 00 03 00 00 00|Yes"; depth:11; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1641; classtype:trojan-activity; sid:6109; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2589 (msg:"MALWARE-BACKDOOR dagger v1.1.40 runtime detection"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:15; nocase; flowbits:set,backdoor.dagger.1.1.40.conn; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=1477; classtype:trojan-activity; sid:6108; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR backage 3.1 runtime detection"; flow:to_server,established; content:"ExecuteUnloadAll"; depth:16; nocase; reference:url,www.spywareguide.com/product_show.php?id=1186; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=698; classtype:trojan-activity; sid:6107; rev:6;)
|
|
# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - download file"; flow:to_client; flowbits:isset,Alvgus_DownloadFile; content:"tfTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"from"; distance:0; nocase; pcre:"/^tfTransferring\s+file\s+from\x3A/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6106; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"tf"; depth:2; nocase; flowbits:set,Alvgus_DownloadFile; flowbits:noalert; classtype:trojan-activity; sid:6105; rev:5;)
|
|
# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - upload file"; flow:to_client; flowbits:isset,Alvgus_UploadFile; content:"ttTransferring"; depth:14; nocase; content:"file"; distance:0; nocase; content:"to"; distance:0; nocase; pcre:"/^ttTransferring\s+file\s+to\x3A/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6104; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"tt"; depth:2; nocase; flowbits:set,Alvgus_UploadFile; flowbits:noalert; classtype:trojan-activity; sid:6103; rev:5;)
|
|
# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - execute command"; flow:to_client; flowbits:isset,Alvgus_ExecuteCommand; content:"feExecuting"; depth:11; nocase; content:"program"; distance:0; nocase; pcre:"/^feExecuting\s+program\x3A/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6102; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"fe"; depth:2; nocase; flowbits:set,Alvgus_ExecuteCommand; flowbits:noalert; classtype:trojan-activity; sid:6101; rev:5;)
|
|
# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - view content of directory"; flow:to_client; flowbits:isset,Alvgus_ViewDirectory; content:"diGetting"; depth:9; nocase; content:"content"; distance:0; nocase; content:"directory"; distance:0; nocase; pcre:"/^diGetting\s+content\s+of\s+directory\x3A/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6100; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"di"; depth:2; nocase; flowbits:set,Alvgus_ViewDirectory; flowbits:noalert; classtype:trojan-activity; sid:6099; rev:5;)
|
|
# alert udp $HOME_NET 27184 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection - check server"; flow:to_client; flowbits:isset,Alvgus_CheckServer; content:"stAlvgus"; depth:8; nocase; content:"Trojan"; distance:0; nocase; content:"Server"; distance:0; nocase; content:"2000"; distance:0; nocase; pcre:"/^stAlvgus\'s\s+Trojan\s+Server\s+2000/smi"; reference:url,www.spywareguide.com/product_show.php?id=1425; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44151; classtype:trojan-activity; sid:6098; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 27184 (msg:"MALWARE-BACKDOOR alvgus 2000 runtime detection"; flow:to_server; content:"st"; depth:2; nocase; flowbits:set,Alvgus_CheckServer; flowbits:noalert; classtype:trojan-activity; sid:6097; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - get system info"; flow:to_client,established; flowbits:isset,A_Trojan_GetSysInfo; content:"infsy"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6096; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infsy"; depth:5; flowbits:set,A_Trojan_GetSysInfo; flowbits:noalert; classtype:trojan-activity; sid:6095; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - get drive info"; flow:to_client,established; flowbits:isset,A_Trojan_GetDriveInfo; content:"infdr"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6094; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infdr"; depth:5; flowbits:set,A_Trojan_GetDriveInfo; flowbits:noalert; classtype:trojan-activity; sid:6093; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - get harddisk info"; flow:to_client,established; flowbits:isset,A_Trojan_GetHarddiskInfo; content:"infhd"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6092; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infhd"; depth:5; flowbits:set,A_Trojan_GetHarddiskInfo; flowbits:noalert; classtype:trojan-activity; sid:6091; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - get memory info"; flow:to_client,established; flowbits:isset,A_Trojan_GetMemoryInfo; content:"infme"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6090; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_server,established; content:"infme"; depth:5; flowbits:set,A_Trojan_GetMemoryInfo; flowbits:noalert; classtype:trojan-activity; sid:6089; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection - init connection"; flow:to_server,established; flowbits:isset,A_Trojan_InitConnection; content:"conec"; depth:5; reference:url,www.spywareguide.com/product_show.php?id=1271; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=611; classtype:trojan-activity; sid:6088; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR a trojan 2.0 runtime detection"; flow:to_client,established; content:"resp1Conectado"; depth:14; flowbits:set,A_Trojan_InitConnection; flowbits:noalert; classtype:trojan-activity; sid:6087; rev:5;)
|
|
# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - make directory"; flow:to_client,established; flowbits:isset,AutoSpy_MakeDirectory; content:"folder created"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6086; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - make directory"; flow:to_server,established; content:"mkdir"; depth:5; flowbits:set,AutoSpy_MakeDirectory; flowbits:noalert; classtype:trojan-activity; sid:6085; rev:4;)
|
|
# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - hide taskbar"; flow:to_client,established; flowbits:isset,AutoSpy_HideTaskbar; content:"Taskbar hidden"; depth:14; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6084; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - hide taskbar"; flow:to_server,established; content:"taskhide"; depth:8; flowbits:set,AutoSpy_HideTaskbar; flowbits:noalert; classtype:trojan-activity; sid:6083; rev:4;)
|
|
# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - show nude pic"; flow:to_client,established; flowbits:isset,AutoSpy_ShowNudePicture; content:"nude Raider pic"; depth:15; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6082; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - show nude pic"; flow:to_server,established; content:"nraider"; depth:7; flowbits:set,AutoSpy_ShowNudePicture; flowbits:noalert; classtype:trojan-activity; sid:6081; rev:4;)
|
|
# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - show autospy"; flow:to_client,established; flowbits:isset,AutoSpy_ShowAutoSpy; content:"autoSpY shown"; depth:13; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6080; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - show autospy"; flow:to_server,established; content:"frmauto"; depth:7; flowbits:set,AutoSpy_ShowAutoSpy; flowbits:noalert; classtype:trojan-activity; sid:6079; rev:4;)
|
|
# alert tcp $HOME_NET 3505 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR autospy runtime detection - get information"; flow:to_client,established; flowbits:isset,AutoSpy_GetInformation; content:"Product Name"; depth:12; reference:url,www.spywareguide.com/product_show.php?id=1438; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=59685; classtype:trojan-activity; sid:6078; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3505 (msg:"MALWARE-BACKDOOR autospy runtime detection - get information"; flow:to_server,established; content:"info"; depth:4; flowbits:set,AutoSpy_GetInformation; flowbits:noalert; classtype:trojan-activity; sid:6077; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1204 (msg:"MALWARE-BACKDOOR amiboide uploader runtime detection - init connection"; flow:to_server,established; content:"23L'esclave|09|49152|09|65535"; depth:23; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453088579; classtype:trojan-activity; sid:6076; rev:5;)
|
|
# alert tcp $HOME_NET 7648 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR xhx 1.6 runtime detection - initial connection server-to-client"; flow:to_client,established; flowbits:isset,xhx_cts; content:" ["; depth:2; reference:url,www.megasecurity.org/trojans/x/xhx/Xhx1.60.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140; classtype:trojan-activity; sid:6075; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7648 (msg:"MALWARE-BACKDOOR xhx 1.6 runtime detection - initial connection client-to-server"; flow:to_server,established; content:"UAIIA"; depth:5; nocase; content:"XHX"; distance:0; nocase; content:"YANER"; distance:0; nocase; pcre:"/^UAIIA\s+XHX\s+YANER/smi"; flowbits:set,xhx_cts; flowbits:noalert; reference:url,www.megasecurity.org/trojans/x/xhx/Xhx1.60.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453084140; classtype:trojan-activity; sid:6074; rev:5;)
|
|
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR freak 1.0 runtime detection - initial connection server-to-client"; flow:to_client,established; content:"027FrEaK_ViCTiM"; depth:15; nocase; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6073; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6667 (msg:"MALWARE-BACKDOOR freak 1.0 runtime detection - irc notification"; flow:to_server,established; content:"NICK"; nocase; content:"FrEaK_ViCTiM"; distance:0; nocase; pcre:"/^NICK\s+FrEaK_ViCTiM\x0D\x0A/smi"; reference:url,www.megasecurity.org/trojans/f/freak/Freak1.01.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073808; classtype:trojan-activity; sid:6070; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR optixlite 1.0 runtime detection - connection success server-to-client"; flow:to_client,established; content:"password|3B|1|3B|Optix Lite Server Ready"; nocase; reference:url,www.spywareguide.com/product_show.php?id=578; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453086368; classtype:trojan-activity; sid:6066; rev:9;)
|
|
# alert tcp $HOME_NET 21212 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR schwindler 1.82 runtime detection"; flow:to_client,established; flowbits:isset,schwindler; content:"Schwindler"; depth:10 ; nocase; content:"Servidor"; distance:0; nocase; content:"Porta"; distance:0; nocase; pcre:"/Schwindler\s+Servidor\x2E\s+Porta\s+\d+/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5287; classtype:trojan-activity; sid:6064; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21212 (msg:"MALWARE-BACKDOOR schwindler 1.82 runtime detection"; flow:to_server,established; content:"ver"; depth:3; nocase; flowbits:set,schwindler; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5287; classtype:trojan-activity; sid:6063; rev:4;)
|
|
# alert tcp $HOME_NET 831 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,neurotickat.2; content:"One"; nocase; content:"more"; distance:0; nocase; content:"step"; distance:0; nocase; content:"until"; distance:0; nocase; content:"connection."; distance:0; nocase; pcre:"/One\s+more\s+step\s+until\s+connection\x2E/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6062; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"MALWARE-BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,neurotickat.1; content:"FTPON"; nocase; content:"TIME"; distance:0; nocase; pcre:"/FTPON\d+\s+TIME\d+\s+/smi"; flowbits:set,neurotickat.2; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6061; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 831 (msg:"MALWARE-BACKDOOR neurotickat1.3 runtime detection - initial connection"; flow:to_server,established; content:"VER "; depth:4; nocase; flowbits:set,neurotickat.1; flowbits:noalert; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=31859; classtype:trojan-activity; sid:6060; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bifrose 1.1 runtime detection"; flow:to_server,established; flowbits:isset,bifrose.rev_conn.2; content:"|02 00 00 00 90|x"; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6057; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR bifrose 1.1 runtime detection"; flow:to_client,established; flowbits:isset,bifrose.rev_conn.1; content:"|02 00 00 00|4x"; flowbits:set,bifrose.rev_conn.2; flowbits:unset,bifrose.rev_conn.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6056; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR bifrose 1.1 runtime detection"; flow:to_server,established; content:"|00 00 00 91|I|16 1B|e|1C|"; flowbits:set,bifrose.rev_conn.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1464; classtype:trojan-activity; sid:6055; rev:7;)
|
|
# alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fun factory runtime detection - do script remotely"; flow:to_client,established; flowbits:isset,FunFactory_doscript; content:"100014"; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6054; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"MALWARE-BACKDOOR fun factory runtime detection - do script remotely"; flow:to_server,established; content:"|AE 86 01 00|"; flowbits:set,FunFactory_doscript; flowbits:noalert; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6053; rev:5;)
|
|
# alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fun factory runtime detection - set volume"; flow:to_client,established; flowbits:isset,FunFactory_volume; content:"100016"; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6052; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"MALWARE-BACKDOOR fun factory runtime detection - set volume"; flow:to_server,established; content:"|B0 86 01 00 01 00 00 00|0"; flowbits:set,FunFactory_volume; flowbits:noalert; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6051; rev:5;)
|
|
# alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fun factory runtime detection - upload"; flow:to_client,established; flowbits:isset,FunFactory_upload; content:"100011"; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6050; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"MALWARE-BACKDOOR fun factory runtime detection - upload"; flow:to_server,established; content:"|AB 86 01 00 12 00 00 00|"; flowbits:set,FunFactory_upload; flowbits:noalert; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6049; rev:5;)
|
|
# alert tcp $HOME_NET 8799 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fun factory runtime detection - connect"; flow:to_client,established; flowbits:isset,FunFactory_conn; content:"100013Agentsvr^^Merlin"; nocase; pcre:"/^100013Agentsvr\x5E\x5EMerlin/smi"; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6048; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8799 (msg:"MALWARE-BACKDOOR fun factory runtime detection - connect"; flow:to_server,established; content:"|AD 86 01 00 08 00 00 00|"; content:"1^Merlin"; distance:0; nocase; pcre:"/^\xad\x86\x01\x00\x08\x00\x00\x001\x5EMerlin/smi"; flowbits:set,FunFactory_conn; flowbits:noalert; reference:url,www.2-spyware.com/remove-funfactory-trojan.html; reference:url,www.spywareguide.com/product_show.php?id=1649; classtype:trojan-activity; sid:6047; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,fear_0_2.conn.2; content:"QTAxe1h9e1l9"; fast_pattern:only; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6046; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection"; flow:to_server,established; flowbits:isset,fear_0_2.conn.1; content:"QTAz"; depth:4; nocase; flowbits:set,fear_0_2.conn.2; flowbits:unset,fear_0_2.conn.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6045; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fear 0.2 runtime detection - initial connection"; flow:to_client,established; content:"QTAze1l9"; depth:8; nocase; flowbits:set,fear_0_2.conn.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1973; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077106; classtype:trojan-activity; sid:6044; rev:7;)
|
|
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger"; flow:to_client,established; flowbits:isset,Fade_kl; content:"877110"; depth:6; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6041; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"MALWARE-BACKDOOR fade 1.0 runtime detection - enable keylogger"; flow:to_server,established; content:"877110"; depth:6; flowbits:set,Fade_kl; flowbits:noalert; reference:url,attack.mitre.org/techniques/T1056; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453076292; classtype:trojan-activity; sid:6040; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-BACKDOOR netbus 1.7 runtime detection - email notification"; flow:to_server,established; content:"Subject|3A|"; nocase; content:"NetBus"; distance:0; nocase; content:"server"; distance:0; nocase; content:"is"; distance:0; nocase; content:"up"; distance:0; nocase; content:"and"; distance:0; nocase; content:"running"; distance:0; nocase; pcre:"/^Subject\x3A[^\r\n]*NetBus\s+server\s+is\s+up\s+and\s+running/smi"; metadata:service smtp; reference:url,www.2-spyware.com/file-backdoor-netbus-12-exe.html; classtype:trojan-activity; sid:6037; rev:6;)
|
|
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR minicommand runtime detection - initial connection server-to-client"; flow:to_client,established; content:"login_ok"; nocase; content:"MiniCommand"; distance:0; nocase; content:"version"; distance:0; nocase; content:"ready"; distance:0; nocase; content:"for"; distance:0; nocase; content:"action"; distance:0; nocase; pcre:"/^login_ok\x5EMiniCommand\s+version\s+\d+\.\d+\.\d+\s+ready\s+for\s+action\x2E/smi"; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075932; classtype:trojan-activity; sid:6035; rev:10;)
|
|
# alert udp $HOME_NET 18001 -> $EXTERNAL_NET 18000 (msg:"MALWARE-BACKDOOR cyberpaky runtime detection"; content:"H02EXE"; nocase; content:"File"; distance:0; nocase; content:"Name|3A|"; distance:0; nocase; content:"CYBERPAKY"; distance:0; nocase; content:"Operating"; distance:0; nocase; content:"System"; distance:0; nocase; pcre:"/H02EXE\s+File\s+Name\x3A\s+CYBERPAKY\x0D\x0AOperating\s+System/smi"; reference:url,www.2-spyware.com/remove-cyberpaky-trojan.html; reference:url,www.megasecurity.org/trojans/c/cyberpaky/Cyberpaky1.8.html; classtype:trojan-activity; sid:6028; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-BACKDOOR WIN.Trojan.Netshadow runtime detection"; flow:to_server,established; content:"AJust a server"; depth:18; nocase; metadata:impact_flag red; reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.netshadow.html; classtype:trojan-activity; sid:6027; rev:5;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dimbus 1.0 runtime detection - get pc info"; flow:to_client,established; content:"DIMBUS"; nocase; content:"Server"; distance:0; nocase; pcre:"/\s{23}DIMBUS\s+Server\s+v\d+\x2E\d+/smi"; reference:url,www.2-spyware.com/remove-dimbus-1-0.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453060480; classtype:trojan-activity; sid:6026; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR tequila bandita 1.2 runtime detection - reverse connection"; flow:to_server,established; content:"|07|LAN|07|Win"; depth:28; nocase; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083232; classtype:trojan-activity; sid:6025; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR nuclear rat v6_21 runtime detection"; flow:to_client,established; content:"|C2 C5 CD C4 FD F9 FF 86 E4 9A F8 FF E5 9B 98 E5 FC E1 FD A9 FC C2 C5 99 C0 A9|"; depth:26; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077717; classtype:trojan-activity; sid:6024; rev:6;)
|
|
# alert tcp $EXTERNAL_NET 4226 -> $HOME_NET any (msg:"MALWARE-BACKDOOR silent spy 2.10 command response port 4226"; flow:to_client,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6022; rev:8;)
|
|
# alert tcp $EXTERNAL_NET 4225 -> $HOME_NET any (msg:"MALWARE-BACKDOOR silent spy 2.10 command response port 4225"; flow:to_client,established; content:"+---|7C|"; content:"|7C|---+"; distance:0; pcre:"/\x2B\x2D{3}\x7C[^\r\n]*\x7C\x2D{3}\x2B/smi"; reference:url,www.spywareguide.com/product_show.php?id=1530; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453073048; classtype:trojan-activity; sid:6021; rev:7;)
|
|
# alert tcp $HOME_NET 800: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dsk lite 1.0 runtime detection - disconnect"; flow:to_client,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"disconnect"; depth:10; nocase; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6017; rev:7;)
|
|
# alert tcp $HOME_NET 800: -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR dsk lite 1.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,DSK_Lite_1.0_TCP; content:"connect|3B|"; depth:8; nocase; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6016; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 800: (msg:"MALWARE-BACKDOOR dsk lite 1.0 runtime detection - initial connection"; flow:to_server,established; content:"verifypass|3B|"; depth:11; nocase; flowbits:set,DSK_Lite_1.0_TCP; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=1554; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453075866; classtype:trojan-activity; sid:6015; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR coolcat runtime connection detection - tcp 3"; flow:to_client,established; flowbits:isset,CoolCat.2; content:"psswd"; fast_pattern; nocase; content:"password"; distance:0; nocase; pcre:"/^psswd((ok\*\-\*Password\s+OK\r\n)|(error\*\-\*Wrong\s+password\r\n))/smi"; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6014; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"MALWARE-BACKDOOR coolcat runtime connection detection - tcp 2"; flow:to_server,established; flowbits:isset,CoolCat.1; content:"password |22|"; depth:10; nocase; flowbits:set,CoolCat.2; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6013; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR coolcat runtime connection detection - tcp 1"; flow:to_server,established; content:"testforconnection|0D 0A|"; depth:19; nocase; flowbits:set,CoolCat.1; flowbits:noalert; reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity; sid:6012; rev:7;)
|
|
# alert tcp $HOME_NET 17499 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Crazzy Net 5.0 connection established"; flow:to_client,established; content:"Crazzynet"; depth:9; classtype:trojan-activity; sid:3636; rev:6;)
|
|
# alert tcp $HOME_NET 23032 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Amanda 2.0 connection established"; flow:to_client,established; content:"Connected To Amanda 2.0"; depth:23; classtype:trojan-activity; sid:3635; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"MALWARE-BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; metadata:ruleset community; classtype:trojan-activity; sid:3155; rev:7;)
|
|
# alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client"; depth:7; metadata:ruleset community; classtype:misc-activity; sid:3083; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3082; rev:13;)
|
|
alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect"; flow:to_client,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3081; rev:13;)
|
|
# alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Vampire 1.2 connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; metadata:ruleset community; classtype:misc-activity; sid:3064; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"MALWARE-BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3063; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3009; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; metadata:ruleset community; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"MALWARE-BACKDOOR Remote PC Access connection"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; metadata:ruleset community; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response"; flow:to_client,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; metadata:ruleset community; reference:mcafee,10566; reference:nessus,10409; classtype:trojan-activity; sid:2100; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly variant outbound connection attempt"; flow:to_client,established; content:"* Doly trojan v1.5 - Connected."; fast_pattern:only; metadata:impact_flag red, ruleset community, service http; reference:url,virustotal.com/en/file/499446edf3dfd200ebf3df2526cd4d101979e626afcd1860193f71829be23922/; classtype:trojan-activity; sid:1985; rev:8;)
|
|
# alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1984; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1983; rev:10;)
|
|
# alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1982; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1981; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1980; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"MALWARE-BACKDOOR win-trin00 connection attempt"; flow:to_server; content:"png []..Ks l44"; depth:14; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"MALWARE-BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:11;)
|
|
# alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"MALWARE-BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; metadata:ruleset community; classtype:attempted-recon; sid:614; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:ruleset community; classtype:misc-activity; sid:220; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset community; classtype:misc-activity; sid:219; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:ruleset community; classtype:attempted-user; sid:218; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset community; classtype:attempted-admin; sid:217; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:216; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:215; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:214; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:213; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset community; classtype:attempted-admin; sid:212; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset community; classtype:attempted-admin; sid:211; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; metadata:ruleset community; classtype:attempted-admin; sid:210; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9;)
|
|
# alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:established,to_client; content:"phAse zero server"; depth:17; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:12;)
|
|
# alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"MALWARE-BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; metadata:ruleset community; classtype:misc-activity; sid:185; rev:10;)
|
|
# alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:ruleset community; classtype:misc-activity; sid:163; rev:14;)
|
|
# alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"MALWARE-BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:ruleset community; classtype:misc-activity; sid:162; rev:10;)
|
|
# alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"MALWARE-BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:ruleset community; classtype:misc-activity; sid:161; rev:10;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established; content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity; sid:158; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157; rev:9;)
|
|
# alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Connection"; flow:established,to_client; content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity; sid:152; rev:11;)
|
|
# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR GateCrasher"; flow:established,to_client; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:11;)
|
|
# alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetSphere access"; flow:established,to_client; content:"NetSphere"; metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13;)
|
|
# alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR HackAttack 1.20 Connect"; flow:established,to_client; content:"host"; metadata:ruleset community; classtype:misc-activity; sid:141; rev:10;)
|
|
# alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:ruleset community; reference:nessus,11157; classtype:misc-activity; sid:121; rev:14;)
|
|
# alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly 2.0 access"; flow:established,to_client; content:"Wtzup Use"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:119; rev:11;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Infector.1.x"; flow:established,to_client; content:"WHATISIT"; depth:9; metadata:impact_flag red, ruleset community; reference:nessus,11157; classtype:misc-activity; sid:117; rev:17;)
|
|
# alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection established"; flow:to_client,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; metadata:ruleset community; classtype:trojan-activity; sid:115; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"MALWARE-BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"MALWARE-BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:ruleset community; reference:mcafee,98775; classtype:misc-activity; sid:108; rev:11;)
|
|
# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 58455 (msg:"MALWARE-BACKDOOR Zollard variant outbound connection attempt"; flow:to_server,established; content:".zollard/"; fast_pattern:only; metadata:impact_flag red, ruleset community, service telnet; reference:url,www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:28913; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $FTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Descrantol variant data exfiltration attempt"; flow:to_server,established; dsize:62; content:"STOR fp_"; depth:8; fast_pattern; content:"|2E|bin|0D 0A|"; within:54; pcre:"/STOR\x20fp(_[A-F0-9]{8}){2}[A-F0-9]{8}_[A-F0-9]{4}(_[A-F0-9]{8}){2}\x2ebin\x0d\x0a/smi"; metadata:impact_flag red, policy security-ips drop, service ftp; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/f09a400bf8abb19d57ecc0c34b7fe989b34b43019770216c46ae05bd54da41a3/analysis/; classtype:trojan-activity; sid:29055; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 2533 (msg:"MALWARE-BACKDOOR Win.Trojan.Shatekrat variant initial outbound connection"; flow:to_server,established; content:"|2E|Data|03 00 00 00 04|data|05|image|05|bytes"; fast_pattern:only; content:"|00 00 00|"; content:"102622021F200324"; within:16; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/0c5a5a85ced8c201508d45613330e3909ed99cef90ae15b3695d27928f74407c/analysis/; classtype:trojan-activity; sid:29094; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Trojan.Dremseko outbound username enumeration"; flow:to_server,established; content:"/dbg.php?e="; depth:11; fast_pattern; http_uri; content:"|5C|"; http_raw_uri; content:"%20"; within:33; http_raw_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,virustotal.com/en/file/44024e287dd998921c3901aa4320a59c3a7a50a2ba750d7383ed3b010de165e3/analysis/; classtype:trojan-activity; sid:29874; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR FireCrotch exploit kit backdoor attempt"; flow:to_client,established; file_data; content:"|38 3D 3D 3D 3D 3D 3D 3D 3D 3D 44 7E 7E 7E 7E|"; fast_pattern:only; content:"a gift you say?"; nocase; classtype:misc-activity; sid:30000; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response"; flow:to_client,established; content:"|5D 00 20 00|h|00|i|00|k|00|i|00|t|00|>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http, service ssl; reference:url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a11a53bab7899bc1b56e4fc20e1b1fd9f/analysis/; classtype:trojan-activity; sid:30948; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR phpMyAdmin server_sync.php backdoor access attempt"; flow:to_server,established; content:"/phpMyAdmin/server_sync.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,55672; reference:cve,2012-5159; reference:url,phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:trojan-activity; sid:24256; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection"; flow:to_server,established; content:"GET|20|"; depth:4; content:"_W"; distance:0; content:"|2E|"; within:1; distance:6; content:"/publickey/"; distance:0; fast_pattern; content:!"Accept|3A|"; distance:0; content:!"Connection|3A|"; distance:0; content:!"Referer|3A|"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/; classtype:trojan-activity; sid:31559; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Andromeda variant outbound connection"; flow:to_client,established; content:"Server|3A| Stalin"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/51b3f93d8ebd83fb01306c8797f50b01d14d2c0c9d861782dcca4b4dfbf80cc3/analysis/; classtype:trojan-activity; sid:31558; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-BACKDOOR Backdoor.Perl.Shellbot outbound communication attempt"; flow:to_server,established; content:"NICK Rizee|7C|RYN|7C|05|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service irc; reference:url,www.virustotal.com/en/file/519409a4bee3a39e164e9d1b656b8c5d43632039b3023315b48da1578e0f11a6/analysis/; classtype:trojan-activity; sid:31746; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR AlienSpy RAT outbound connection"; flow:to_server,established; flowbits:isset,alienspy.rat; content:"|78 70 00 00|"; depth:4; content:"|1F 8B 08 00 00 00 00 00 00 00|"; within:10; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/d871121a10ca032b03157d38025248545559d2174804ba66165d18358eb98e8e/analysis/; classtype:trojan-activity; sid:32006; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR AlienSpy RAT outbound connection"; flow:to_server,established; dsize:17; content:"|75 72 00|"; depth:3; content:"|02 00 00|"; within:3; distance:11; flowbits:set,alienspy.rat; flowbits:noalert; reference:url,www.virustotal.com/en/file/d871121a10ca032b03157d38025248545559d2174804ba66165d18358eb98e8e/analysis/; classtype:trojan-activity; sid:32005; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Blohi variant outbound connection"; flow:to_server,established; content:"/PostView.nhn?blogId=cjddms52&logNo=130104953765&parentCategoryNo=1"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/efdbb6f54eed70a476a35257e1f61c2867fbc42a7605154a2d5b9061edb56cf3/analysis/; classtype:trojan-activity; sid:32055; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 58273 (msg:"MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection"; flow:to_server,established; content:"IAMYOURGOD"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/382f385fa57ea150393335385dc4e4e68647441914b037b5798a93b013570b53/analysis/; classtype:trojan-activity; sid:32081; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 53629 (msg:"MALWARE-BACKDOOR Linux.Backdoor.Starysu variant inbound connection"; flow:to_server,established; content:"f|75|ckyO"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/1b28b3256f7de74c1de6a254e3f69c784f8b356a25da024ffee722704056c9bd/analysis/; classtype:trojan-activity; sid:32080; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR PHP IRCBot port bind attempt"; flow:to_server,established; content:"POST"; http_method; content:"port="; depth:5; http_client_body; content:"&bind_pass="; distance:0; content:"&use="; distance:0; content:"&dir="; distance:0; content:"&submit=Bind"; distance:0; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519/analysis/; reference:url,www.virustotal.com/en/file/7bea540bad4f6f9a98d3059e96e6c9f79023f990cc34cb462fcfda43e5b2aa1d/analysis/; classtype:trojan-activity; sid:32249; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR PHP IRCBot file edit attempt"; flow:to_server,established; content:"POST"; http_method; content:"e_name="; depth:7; http_client_body; content:"&cmd=edit_file&dir="; distance:0; fast_pattern; content:"&submit=Edit|2B|file"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519/analysis/; reference:url,www.virustotal.com/en/file/7bea540bad4f6f9a98d3059e96e6c9f79023f990cc34cb462fcfda43e5b2aa1d/analysis/; classtype:trojan-activity; sid:32248; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR PHP IRCBot command execution attempt"; flow:to_server,established; content:"POST"; http_method; content:"cmd="; depth:4; http_client_body; content:"&dir="; distance:0; content:"&submit=Execute"; distance:0; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/59ea6cf16ea06ff47cf0e6a398df2eaec4d329707b8c3201fc63cbf0b7c85519/analysis/; reference:url,www.virustotal.com/en/file/7bea540bad4f6f9a98d3059e96e6c9f79023f990cc34cb462fcfda43e5b2aa1d/analysis/; classtype:trojan-activity; sid:32247; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32918; rev:1;)
|
|
# alert tcp $EXTERNAL_NET [547,8080,133,117,189,159] -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|7B 08 2A 2A|"; offset:17; content:"|08 2A 2A 01 00|"; distance:0; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32917; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32916; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32915; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 67 80 F2 24 88 10|"; fast_pattern:only; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32914; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|4C 4C|"; depth:2; offset:16; content:"|75 14 2A 2A|"; within:4; distance:4; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32913; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32912; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32911; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"MALWARE-BACKDOOR Win.Trojan.lubot download"; flow:to_server,established; file_data; content:"sendraw|28|$IRC_cur_socket, |22|PRIVMSG $printl |3A 03|7-shell"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service smtp; reference:url,www.virustotal.com/en/file/d46d95c0be8b62c195d70a7219e6d6487d9624b21057ff4d9cb107ff9023a808/analysis/; classtype:trojan-activity; sid:33619; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.lubot download"; flow:to_client,established; file_data; content:"sendraw|28|$IRC_cur_socket, |22|PRIVMSG $printl |3A 03|7-shell"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/d46d95c0be8b62c195d70a7219e6d6487d9624b21057ff4d9cb107ff9023a808/analysis/; classtype:trojan-activity; sid:33618; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Speccom variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/word.asp"; http_uri; content:"Mozilla/5.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.1|3B| Trident/6.0)"; fast_pattern:only; http_header; content:"s="; depth:2; http_client_body; content:"&t="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/3d860f8d272b69c11ec582cd550f4ee66876aeef8f845a284a4a7784696887fa/analysis/; classtype:trojan-activity; sid:33823; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; dsize:16; content:"|00 00 00 11 C8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34500; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Bimteni variant initial outbound connection"; flow:to_server,established; content:"|E5 E4 F5|"; depth:3; content:"|F5 99 94 9B F5|"; within:50; content:"|E7 E7 E7 E7 E7 E7 E7 E7 E7 E7|"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,www.virustotal.com/en/file/5e40305268587e4735dd6bbe63f1a33a8adc72e9d83ace7566a0aafcfec1982e/analysis/; classtype:trojan-activity; sid:35371; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Nicabown variant outbound connection"; flow:to_server,established; content:"POST /favicon.ico"; fast_pattern:only; content:"|00 55 AA|"; depth:3; http_client_body; content:"|00 C8 00 00|"; depth:4; offset:40; http_client_body; content:"|0A 00 00 00|"; depth:4; offset:172; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/c14d6a75ed9145dc8f3f7f2f14e70751aa26f634a54c342a2ae740a6d6fc5fd0/analysis/; classtype:trojan-activity; sid:35384; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-BACKDOOR Win.Backdoor.Cobrike outbound connection "; flow:to_server,established; content:"Windows PowerShell running as user"; fast_pattern; content:"|0A|Copyright (C) 2015 Microsoft Corporation. All rights reserved.|0A 0A|"; within:150; flowbits:set,backdoor.powershell; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/a3b52cba0783b856f93e593fbaae4fb8bd75b3a6e22426e82f4dbd45bab2bc77/analysis/; classtype:trojan-activity; sid:35770; rev:4;)
|
|
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Cobrike inbound connection "; flow:to_client,established; flowbits:isset,backdoor.powershell; content:"powerfun"; fast_pattern:only; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop; reference:url,attack.mitre.org/techniques/T1086; reference:url,virustotal.com/en/file/a3b52cba0783b856f93e593fbaae4fb8bd75b3a6e22426e82f4dbd45bab2bc77/analysis/; classtype:trojan-activity; sid:35769; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR Adzok RAT server file download"; flow:to_server,established; file_data; content:"inic$ShutdownHook.classPK"; fast_pattern:only; content:"svd$Mensaje.classPK"; nocase; content:"svd$keyh.classPK"; within:150; nocase; metadata:impact_flag red, service smtp; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37422; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR Adzok RAT download"; flow:to_server,established; file_data; content:"ManejadorCliente$eventoBotonesKeylogger.classPK"; fast_pattern:only; metadata:impact_flag red, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37421; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT initial connection"; flow:to_client; content:"|73 72 00 07|"; depth:4; content:"mensaje"; within:20; content:"dato"; within:20; content:"archivo"; within:20; metadata:impact_flag red; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37420; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT inbound connection"; flow:to_client; flowbits:isset,adzok.rat; content:"|00 00 00|"; depth:3; content:"|70 70 70|"; within:3; distance:1; content:"|00|"; within:1; distance:1; metadata:impact_flag red; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37419; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT inbound connection"; flow:to_client; dsize:6; content:"|73 71 00 7E 00 00|"; depth:6; flowbits:set,adzok.rat; flowbits:noalert; metadata:impact_flag red; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37418; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT server file download"; flow:to_client,established; file_data; content:"inic$ShutdownHook.classPK"; fast_pattern:only; content:"svd$Mensaje.classPK"; nocase; content:"svd$keyh.classPK"; within:150; nocase; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37417; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Adzok RAT download"; flow:to_client,established; file_data; content:"ManejadorCliente$eventoBotonesKeylogger.classPK"; fast_pattern:only; metadata:impact_flag red, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/a8ba7452c628c379f3e78b795e03f59426f9e8cb07fdd1b8866ea6fb9f093dc4/analysis/; classtype:trojan-activity; sid:37416; rev:2;)
|
|
alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR ReGeorg socks proxy initial connection attempt"; flow:to_client,established; file_data; content:"Georg says, 'All seems fine'"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b97136e3235c1bc9f2005d3253fbc3af5900f8222740cfd85ef5d449cf4ac251/analysis/; classtype:misc-activity; sid:38329; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR ReGeorg socks proxy connection attempt"; flow:to_server,established; content:"cmd=connect"; http_uri; content:"target="; http_uri; content:"port="; http_uri; content:"X-CMD|3A| CONNECT|0D 0A|"; fast_pattern:only; http_header; content:"X-TARGET|3A| "; http_header; content:"X-PORT|3A| "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b97136e3235c1bc9f2005d3253fbc3af5900f8222740cfd85ef5d449cf4ac251/analysis/; classtype:misc-activity; sid:38328; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR ReGeorg proxy read attempt"; flow:to_server,established; content:"cmd=read"; content:"X-CMD|3A| READ|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,www.virustotal.com/en/file/b97136e3235c1bc9f2005d3253fbc3af5900f8222740cfd85ef5d449cf4ac251/analysis/; classtype:misc-activity; sid:38327; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/zecmd/zecmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38719; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/x/pwn.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38718; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/tunnel/tunnel.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38717; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/ssvcss/index.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38716; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/shellinvoker/shellinvoker.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38715; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/shel/shel.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38714; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/sh3ll/sh3ll.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38713; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/oss/smd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38712; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/momo/no.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38711; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/mgr/lnx.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38710; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/mela/mela.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38709; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jspshell/index.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38708; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jdev3/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38707; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jdev2/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38706; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jdev/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38705; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbot/jbot.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38704; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossos/jbossos.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38703; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossdox/jbossdox.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38702; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossdoc/jbossdoc.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38701; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossass/jbossass.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38700; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jbossass/index.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38699; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/javadev/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38698; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/is/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38697; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/genesis/genesis.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38696; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/esc/esc/ss.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38695; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/egdus/smd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38694; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/egd/smd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38693; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/eg/smd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38692; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/e/shell.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38691; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/e/e.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38690; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/com/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38689; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/cmd1/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38688; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/cmd/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38687; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/bynazi/cmd.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38686; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/browser/shell.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38685; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/browser/browser/Browser.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38684; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/a/pwn.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:38683; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:"/jexws3/jexws3.jsp?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39059; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:".jsp?ppp="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:39058; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 1099 -> $HOME_NET any (msg:"MALWARE-BACKDOOR HVL Rat inbound command"; flow:to_client,established; content:"|1B 5B 32 4A 1B 5B 34 30 6D 1B 5B|37mHVL RAT Trojan "; fast_pattern:only; metadata:impact_flag red; reference:url,megasecurity.org/trojans/h/hvl_rat/Hvl_rat5.3.0.html; classtype:trojan-activity; sid:43806; rev:1;)
|
|
# alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.DonaldDick variant outbound connection detection"; flow:to_client,established; content:"OK|00|00000096|00|"; fast_pattern:only; metadata:impact_flag red; reference:url,virustotal.com/en/file/f946e2faf21d7b2efc461e6a96135c1aa2c465485362f461177bca699366cc1f/analysis/; classtype:trojan-activity; sid:43943; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR CobaltStrike inbound beacon download"; flow:to_server; file_data; content:"powershell -nop -exec bypass -EncodedCommand |22|%s|22|"; fast_pattern:only; content:"char c = (i & 0xFF)|3B|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service smtp; reference:url,attack.mitre.org/techniques/T1086; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45905; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR CobaltStrike inbound beacon download"; flow:to_client; file_data; content:"powershell -nop -exec bypass -EncodedCommand |22|%s|22|"; fast_pattern:only; content:"char c = (i & 0xFF)|3B|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1086; reference:url,colbaltstrike.com; classtype:trojan-activity; sid:45904; rev:2;)
|
|
alert tcp any any -> any any (msg:"MALWARE-BACKDOOR Unix.Malware.Chaos backdoor trigger attempt"; flow:established,to_server; content:"j0DtFt1LTvbIU|00|"; depth:14; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop; reference:url,www.virustotal.com/#/file/e9fc1441bb88dd8cc7fcc2e176e53084ccd28f8766a017b3a07474b7e6b72ab9/detection; classtype:trojan-activity; sid:45975; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor file management attempt"; flow:to_server,established; content:"FolderPath="; fast_pattern:only; content:"FolderPath="; nocase; content:"Action="; nocase; content:"Filename="; nocase; content:".jsp"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46291; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP webshell backdoor detected"; flow:to_server,established; content:".jsp?Action="; fast_pattern:only; content:".jsp?Action="; nocase; pcre:"/(&)?Action=(M|F|S|L|D|E|R|K|N|P|d|r|Z|U|n|A|I|s|H|i|T)(&)?/"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service http; classtype:trojan-activity; sid:46290; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-BACKDOOR JSP webshell transfer attempt"; flow:to_server,established; file_data; content:"request.getParameter(|22|LName|22|).equals(username)"; fast_pattern:only; content:".jsp"; nocase; metadata:impact_flag red, policy security-ips drop, service smtp; classtype:trojan-activity; sid:46289; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR JSP webshell transfer attempt"; flow:to_client,established; file_data; content:"request.getParameter(|22|LName|22|).equals(username)"; fast_pattern:only; content:".jsp"; nocase; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:46288; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP Web shell access attempt"; flow:to_server,established; content:".jsp"; http_uri; content:"o=login&pw"; fast_pattern:only; http_client_body; content:"&o=login"; nocase; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,virustotal.com/#/file/17018c4a69f1c99ba547b76ae7844c58016c3fb5886220c383b00d01863f1f1d; classtype:trojan-activity; sid:46369; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR JSP Web shell upload attempt"; flow:to_server,established; content:"savePath = request.getParameter|28 22|savepath"; fast_pattern:only; content:"downFileUrl = request.getParameter|28 22|url"; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,virustotal.com/#/file/17018c4a69f1c99ba547b76ae7844c58016c3fb5886220c383b00d01863f1f1d; classtype:trojan-activity; sid:46368; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Rebhip variant runtime detection"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"x_X_BLOCKMOUSE"; fast_pattern:only; content:"PASS"; content:"UPDAT"; reference:url,www.virustotal.com/#/file/15f8396754898348d0df09c85a304e2359c9102e87e7fed270e10b3814a82a7d/detection; classtype:trojan-activity; sid:48146; rev:1;)
|