""ET TROJAN Backdoor.Win32/Etumbot.B Requesting RC4 Key""
SID: 2018552
Revision: 2
Class Type: trojan-activity
Metadata: created_at 2014_06_09, updated_at 2014_06_09
Reference:
Protocol: tcp
Source Network: $HOME_NET
Source Port: any
Destination Network: $EXTERNAL_NET
Destination Port: $HTTP_PORTS
Flow: to_server,established
Contents:
-
Value: "/home/index.asp?typeid="
-
Value: "Referer|3a| http|3a|//www.google.com/|0d 0a|"
Within:
PCRE: "/^\/home\/index.asp\?typeid=(?:1[13]?|[3579])$/Ui"
Special Options:
-
nocase
-
http_uri
-
http_header