""ET TROJAN Possible SKyWIper/Win32.Flame POST""

SID: 2014822

Revision: 6

Class Type: trojan-activity

Metadata: created_at 2012_05_30, updated_at 2014_09_15

Reference:

• Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

• Value: "POST"

• Value: "/wp-content/rss.php"

• Value: "UNIQUE_NUMBER=" Depth: 14

• Value: "&PASSWORD="

• Value: "&ACTION="

Within:

PCRE:

Special Options:

• http_method

• nocase

• http_uri

• fast_pattern

• http_client_body

• http_client_body

• http_client_body

source