Rule History

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Gozi/BlackNet Checkin"; flow:established,to_server; urilen:100<>325; http.method; content:"GET"; http.uri; content:".php?"; fast_pattern; content:!"?key="; content:!"?token="; content:!"/index.php"; content:!"act=bkw9"; nocase; content:!"?data="; pcre:"/^\/[a-z]{3,10}\.php\?[a-z]{3,10}=(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{4})$/"; http.header; content:!"DriverUpdate"; http.host; content:!"remocam.com"; content:!"desktopad.com"; content:!"mydlink.com"; content:!"gadingpos.com"; http.header_names; content:!"Accept"; content:!"Referer|0d 0a|"; reference:md5,cd2d9c7bd5de6d12718785f495ce1bb4; reference:url,csis.dk/en/csis/news/4472/; classtype:command-and-control; sid:2019378; rev:17; metadata:created_at 2014_10_09, performance_impact Significant, confidence High, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2023_05_01, reviewed_at 2024_03_21;)