A large number of trojans report an infection by sending a blank email to a gmail or other free provider. They’re pretty bland, other than they almost always use the Indy Mail lib. So the mail is slightly unique

# This sig should catch them outbound
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:”BLEEDING-EDGE POLICY Possible Infection Report Mail - Indy Mail lib and No Message Body”; flow:established,to_server; content:”|0d 0a|X-Priority: 1|0d 0a|X-Library: Indy “; content:”|0d 0a 0d 0a 2e 0d 0a|”; within:22; classtype:trojan-activity; sid:2007611; rev:1;)

Some more detail here:
http://docs.bleedingthreats.net/bin/view/Main/2007611

Please report and falses on it.

Matt

This entry was posted on Saturday, September 8th, 2007 at 12:13 pm and is filed under General, New Rules. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.