""ET TROJAN DDoS.Win32.Agent.bay Covert Channel (VERSONEX and Mr.Black)""

SID: 2017315

Revision: 3

Class Type: trojan-activity

Metadata: created_at 2013_08_12, updated_at 2014_06_20

Reference:

Protocol: ip

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: any

Flow:

Contents:

• Value: "VERSONEX|3a|" Depth: 64

• Value: "Mr.Black"

Within: 50

PCRE:

Special Options:

• fast_pattern

source