alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:3;)
Added 2007-11-14 03:46:00 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:30; classtype:trojan-activity; sid:2007611; rev:3;)
Added 2007-11-14 03:46:00 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:2;)
Added 2007-09-09 15:20:12 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority\: 1|0d 0a|X-Library\: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:2;)
Added 2007-09-09 15:20:12 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority: 1|0d 0a|X-Library: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:1;)
Added 2007-09-09 00:02:45 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body - Priority 1"; flow:established,to_server; content:"|0d 0a|X-Priority: 1|0d 0a|X-Library: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:1;)
Added 2007-09-09 00:02:45 UTC
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body"; flow:established,to_server; content:"|0d 0a|X-Priority: 1|0d 0a|X-Library: Indy "; content:"|0d 0a 0d 0a 2e 0d 0a|"; within:22; classtype:trojan-activity; sid:2007611; rev:1;)
Added 2007-09-08 11:56:32 UTC
See a lot of trojans and credential stealing agents report an infection with a blank email to a free email service. Looks like so:
0000 53 75 62 6a 65 63 74 3a 20 4e 6f 76 6f 3a 42 4f Subject: Novo:BO
0010 42 54 57 4f 0d 0a 54 6f 3a 20 62 69 73 73 62 72 BTWO..To: bissbr
0020 61 73 69 6c 40 67 6d 61 69 6c 2e 63 6f 6d 0d 0a asil@gmail.com..
0030 44 61 74 65 3a 20 54 68 75 2c 20 38 20 53 65 70 Date: Thu, 8 Sep
0040 20 32 30 30 35 20 30 37 3a 31 31 3a 33 30 20 2d 2005 07:11:30 -
0050 30 34 30 30 0d 0a 58 2d 50 72 69 6f 72 69 74 79 0400..X-Priority
0060 3a 20 31 0d 0a 58 2d 4c 69 62 72 61 72 79 3a 20 : 1..X-Library:
0070 49 6e 64 79 20 39 2e 30 30 2e 31 30 0d 0a 0d 0a Indy 9.00.10....
0080 2e 0d 0a ...
This sig should catch those, since they usually use the indy mail lib and no body.
As you can see above, the dead drop email is
bissbrasil@gmail.com (reported). If you get a hit on this it doesn't guarantee an infection, but you should verify why and where to a blank email was sent from a workstation.
--
MattJonkman - 08 Sep 2007
Main Web
Main Web
Create New Topic
Index
Search
Changes
Preferences
