snort rules - Pandemiya Trojan - Zeus-based Variant

 Earlier today a colleague (thanks Zuhair) made me aware of a new Zeus-based variant which was discovered. He sent me the following three links:
 High-level Description

http://threatpost.com/new-pandemiya-banking-trojan-written-from-scratch/106554

Detailed Technical Description

https://blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants/

Symantec Assessment

http://www.symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99

 As a result I've developed and tested the following snort rules. I'm publishing them here in the hope that they can help someone. I will be implementing these and thought someone else may find them useful.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - POST request"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0"; nocase;fast_pattern;content:"aWnBrokeQxPeKunljEDkm"; nocase; Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2 ;sid:4000001)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - POST request"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0"; nocase;fast_pattern;content:"P4ND3M1CB00BF4C3"; nocase; Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2 ;sid:4000001)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - GET request"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0"; nocase;fast_pattern;content:"aWnBrokeQxPeKunljEDkm"; nocase; Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2 ;sid:4000001)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Pandemiya Trojan - Zeus-based Variant - GET request"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent";nocase; content:"Hello|20|2|2E|0"; nocase;fast_pattern;content:"P4ND3M1CB00BF4C3"; nocase; Priority:1;reference:url,blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants,symantec.com/security_response/writeup.jsp?docid=2014-061111-3458-99&tabid=2 ;sid:4000001)

If anyone thinks these can be better modified,please feel free to drop me a line at nikalleyne at gmail dot com.