Versions (3)
Version DetailsCurrent
Rev: 10 • Jul 30, 2010, 12:00 PMET MALWARE Opachki Link Hijacker HTTP Header Injection
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Opachki Link Hijacker HTTP Header Injection"; flow:established,to_server; http.uri; content:".php?l="; fast_pattern; nocase; content:"&u="; nocase; http.accept_enc; pcre:"/^([a-z])\1{3}/i"; http.header_names; content:"|0d 0a|Accept-Encoding|0d 0a|"; nocase; content:"|0d 0a|Referer|0d 0a|"; nocase; reference:url,www.secureworks.com/research/threats/opachki/?threat=opachki; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fOpachki.A; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2009-092213-3317-99&tabid=2; classtype:trojan-activity; sid:2010283; rev:10; metadata:created_at 2010_07_30, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_02_20;)
Jul 30, 2010, 12:00 PM
Feb 20, 2024, 12:00 PM
Sep 21, 2024, 3:00 AM
Jan 19, 2026, 10:35 PM
rules/emerging-malware.rules