[Snort-sigs] Akak trojan signatures

New trojan being spread via IE drag-n-drop. Not real prevalent right 
now, but in case you want to be on the lookout for it:

alert tcp any any -> any 4321 (msg:"Akak trojan protocol hello"; 
content:"|89 13 00 00|"; dsize:4; flow:established,to_server; 
reference:url,www.lurhq.com/akak.html; classtype:trojan-activity; 
sid:1000120; rev:1;) 

alert tcp $HOME_NET 4321 -> $EXTERNAL_NET any (msg:"Akak trojan protocol 
response from infected host"; content:"|6f 17 00 00|"; dsize:4; 
flow:established,to_client; reference:url,www.lurhq.com/akak.html; 
classtype:trojan-activity; sid:1000121; rev:1;)

-Joe

-- 
Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs