Whomever created these trojan connection attempts snort alert didn't include documentation.
(1:41034) MALWARE-CNC Win.Trojan.Sality variant outbound connection
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sality variant outbound connection"; flow:to_server,established; content:"/images/image.gif"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; depth:12; http_header; content:!"proxy"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,virustotal.com/en/file/22fc19a6d9e0ef40812d05c357beabfed6f7cb9fe72af826947acb458b911213/analysis/; classtype:trojan-activity; sid:41034; rev:1; )
If I had to guess I think it's related to this Sality Gambling campaign or something similar which stated.
It appears to the image.gif callouts download the real payload. The article also mentions Sality has incorporated the use of rootkit functions as part of the malware family’s ongoing evolution. Sality found that it delivered fake-AV malware as the final payload, able to infect not only local drives but also USB devices and network folders.
The virus total link above shows many solid hits of Win32/Sality.
More about neonprimetime
Top Blogs of all-time
- pagerank botnet sql injection walk-thru
- DOM XSS 101 Walk-Through
- An Invoice email and a Hot mess of Java
Top Github Contributions
Copyright © 2016, this post cannot be reproduced or retransmitted in any form without reference to the original post.