Et rule 2025289 - Magic-SigExplorer

""ET TROJAN Backdoor.Elise Style IP Check""

SID: 2025289

Revision: 1

Class Type: trojan-activity

Metadata: affected_product Windows_XP_Vista_7_8_10_Server_32_64_Bit, attack_target Client_Endpoint, created_at 2018_02_01, deployment Perimeter, malware_family elise, performance_impact Moderate, signature_severity Major, updated_at 2018_02_01

Reference:

Link

Protocol: tcp

Source Network: $HOME_NET

Source Port: any

Destination Network: $EXTERNAL_NET

Destination Port: $HTTP_PORTS

Flow: to_server,established

Contents:

Value: "/myip?format=txt"
Value: "Host|3a 20|api.ipaddress.com"
Value: "Mozilla/4.0 (compatible|3b| MSIE 8.0|3b| Windows NT 6.1|3b| Trident/4.0|3b| SLCC2|3b| .NET CLR 2.0.50727|3b| .NET CLR 3.5.30729|3b| .NET CLR 3.0.30729|3b| Media Center PC 6.0|3b| .NET4.0C|3b| .NET4.0E)"

Within:

PCRE: "/^Connection\x3a\x20[^\r\n]+\r\nUser-Agent\x3a\x20[^\r\n]+\r\nHost\x3a\x20[^\r\n]+/H"

Special Options:

http_uri
fast_pattern
http_header
http_header

source