""ET TROJAN Possible FakeAV Binary Download (Security)""

SID: 2012981

Revision: 3

Class Type: trojan-activity

Metadata: created_at 2011_06_09, updated_at 2017_06_06

Reference:

Protocol: tcp

Source Network: $EXTERNAL_NET

Source Port: $HTTP_PORTS

Destination Network: $HOME_NET

Destination Port: any

Flow: established,to_client

Contents:

  • Value: "filename=|22|"

  • Value: "security"

  • Value: !"ALLOW-FROM www.onecallnow.com"

  • Value: !"Content-Type|3a 20|text/xml"

Within: 50

PCRE: "/filename\x3D\x22[^\r\n]*security[^\n]+.exe/Hi"

Special Options:

  • http_header

  • nocase

  • fast_pattern

  • nocase

  • http_header

  • http_header

  • http_header

source