Neonprimetime

ZeroAccess Encrypted 128-byte POST No Accept Headers 1:26910

Nov 19th, 2015
156
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers (1:26910)
  2.  
  3. ****
  4. Blog explaining this : http://neonprimetime.blogspot.com/2015/11/zeroaccess-snort-rule-126910-walk-thru.html
  5. ****
  6.  
  7. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3; )
  8.  
  9. ****
  10. POST / HTTP/1.1
  11. User-Agent: Mozilla/5.0 (compatible; MSIE 8.0;)
  12. Host: search.namequery.com
  13. Connection: Keep-Alive
  14. Cache-Control: no-cache
  15. Content-Length: 128
  16. TagId: 268958596
  17.  
  18. ~............k.....O...
  19. .l.E)q..+B....v..6.G.Z..c.T.C.....0b*!E.....Y....r...&8/Ue..^K....J..Mc[C}]k$.....}^'.Um..y...+...%?M..~
  20.  
  21. ****
  22.  
  23. Reported by neonprimetime security
  24. Blog: http://neonprimetime.blogspot.com
  25. Twitter: https://twitter.com/neonprimetime @neonprimetime
  26. VirusTotal: https://www.virustotal.com/en/user/neonprimetime/
  27. Reddit: https://www.reddit.com/user/neonprimetime
RAW Paste Data