""ET TROJAN Win32/Cryptrun.B/MSUpdater C&C traffic 1""
SID: 2014174
Revision: 4
Class Type: trojan-activity
Metadata: created_at 2012_01_31, updated_at 2012_04_03
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: from_client,established
Contents:
-
Value: "/search"
-
Value: "?h1="
-
Value: "&h2="
-
Value: "&h3="
-
Value: "User-Agent|3a| Mozilla/5.0 (compatible|3B|"
Within:
PCRE:
Special Options:
-
http_uri
-
fast_pattern
-
http_uri
-
http_uri
-
http_uri
-
http_header