After some discussion it was recognised that the string which was being searched for in the URI may be randomly generated. It was suggested that "User-Agent: Hello 2.0" should be unique enough to capture any usage of this Zeus variant. As a result, I'm releasing Revision 2 of the rules. These two rules should capture any GET or POST request made from the variant leaving the "$HOME" network.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Va riant - POST request"; content:"POST"; http_method; nocase; content:"User|2D|Agent|3A 20|Hello|20|2|2E|0"; http_header; nocase; Priority: 1; Rev: 2; sid:4000001; reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - GET request"; content:"GET"; http_method; nocase; content:"User|2D|Agent|3A 20|Hello|20|2|2E|0"; http_header; nocase; Priority: 1; Rev: 2; sid:4000002; reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants)
No comments:
Post a Comment