alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Win32/Cryptrun.B/MSUpdater C&C traffic 1"; flow:from_client,established; http.uri; content:"/search"; content:"?h1="; fast_pattern; content:"&h2="; distance:0; content:"&h3="; distance:0; http.user_agent; content:"Mozilla/5.0 (compatible|3b|"; depth:24; reference:url,blog.9bplus.com/kim-jong-il-pdf-malware; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:command-and-control; sid:2014174; rev:6; metadata:created_at 2012_01_31, malware_family Win32_Cryptrun_B_MSUpdater, signature_severity Major, updated_at 2020_10_14;)