alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain linkconf.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|linkconf|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000010; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain redirserver.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|redirserver|03|net|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000011; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain swupdt.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|swupdt|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000012; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain appleupdt.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|appleupdt|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000013; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain msupdt.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|msupdt|03|com"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000014; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain services.serveftp.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|08|services|08|serveftp|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000015; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain gx5369.dyndns.tv - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|gx5639|06|dyndns|02|tv"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000016; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain mango66.dyndns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|mango66|06|dyndns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000017; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ctronlinenews.dyndns.tv - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0D|ctronlinenews|06|dyndns|02|tv"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000018; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain fast8.homeftp.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|fast8|07|homeftp|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000019; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain wwnav.selfip.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|wwnav|06|selfip|03|net"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000020; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain dfup.selfip.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|04|dfup|06|selfip|03|net"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000021; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain takami.podzone.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000022; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain ricush.ath.cx - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|ricush|03|ath|02|cx"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000023; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain carrus.gotdns.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|carrus|06|gotdns|03|com"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000024; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain takami.podzone.net - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|takami|07|podzone|03|net"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000025; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain cherry1962.dyndns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|cherry1962|06|dyndns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000026; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain sv.serveftp.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|02|sv|08|serveftp|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000027; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain pl400.dyndns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|pl400|06|dyndns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000028; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain wqq.dyndns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|03|wqq|06|dyndns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000029; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain pininfarina.dynalias.com - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0B|pininfarina|08|dynalias|03|com"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000030; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain nav1002.ath.cx - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|07|nav1002|03|ath|02|cx"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000031; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain prosoccer2.dyndns.info - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|prosoccer2|06|dyndns|04|info"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000032; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain prosoccer1.dyndns.info - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|0A|prosoccer1|06|dyndns|04|info"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000033; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain tunga.homedns.org - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|05|tunga|07|homedns|03|org"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000034; rev:1;) alert udp $HOME_NET any -> any 53 (msg:"BLACKLIST DNS request for known malware domain nthost.shacknet.nu - Careto "; flow:to_server; byte_test:1,!&,0xF8,2; content:"|06|nthost|08|shacknet|02|nu"; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, service dns; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:1000035; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST User-Agent known malicious user agent- Careto malware"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 4.01|3B| Windows NT|29|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:10000036; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI - Careto XPI plugin download request - Linux"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/l/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:10000037; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI - Careto XPI plugin download request - OSX"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/m/af_l_addon.xpi"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:10000038; rev:1;) alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST URI - Careto CRX plugin download request - Windows"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/ag/plugin.crx"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, service http; reference:url,www.securelist.com/en/downloads/vlpdfs/unveilingthemask_v1.0.pdf; classtype:trojan-activity; sid:10000039; rev:1;)