Vobfus Post-Infection Indicator

A classic, but still very active.

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fVobfus

HTTP Request Method = GET
Regex HTTP URI for :443\/[a-zA-Z]+\?[a-z]$

See examples of Vobfus Post-Infection Indicator on UrlQuery.net

Comments are closed.