Citadel IOC sanitized

[authorizedsamurai]

Fixed and sanitized the links in the first section (obviously the links in the ioc file are still dangerous)

OR
  Network DNS contains msecure<dot>ru
  Port Remote IP is 198.162.116.16
  Port Remote IP is 93.186.171.133
  Network DNS contains proscitomash<dot>com
  Network DNS contains quliner<dot>ru
  File MD5 is 91B64502A89D6C47D1ADBDE3EBBF

2532
  Port Remote IP is 209.85.229.104

The first five items come from http://www.mcafee.com/us/resources/white-papers/wp-citadel-trojan.pdf.

The MD5 comes from http://www.threatexpert.com/report.aspx?md5=91b64502a89d6c47d1adbde3ebbf2532 (linked to by http://blog.malwarebytes.org/intelligence/2012/11/citadel-a-cyber-criminals-ultimate-weapon/).

And the last IP comes from the malwarebytes blog entry - it's the IP infected clients are redirected to when they try to access certain security sites.

As always, no warranties implied and comments, suggestions welcome.  For some reason I still can't attach files, so here's the IOC pasted below.

<?xml version="1.0" encoding="us-ascii"?>
<ioc xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" id="226666e7-e748-4488-8d86-a641614a4cfa" last-modified="2013-03-12T17:59:57" xmlns="http://schemas.mandiant.com/2010/ioc">
  <short_description>Citadel</short_description>
  <description>http://www.mcafee.com/us/resources/white-papers/wp-citadel-trojan.pdf
http://blog.malwarebytes.org/intelligence/2012/11/citadel-a-cyber-criminals-ultimate-weapon/
http://www.threatexpert.com/report.aspx?md5=91b64502a89d6c47d1adbde3ebbf2532</description>
  <authored_by>Megan</authored_by>
  <authored_date>2013-03-12T16:15:00</authored_date>
  <links />
  <definition>
    <Indicator operator="OR" id="28123200-9893-4bbf-8b8b-c202c618be64">
      <IndicatorItem id="f130f7fe-8d1d-498b-a9d8-47cec37d3922" condition="contains">
        <Context document="Network" search="Network/DNS" type="mir" />
        <Content type="string">msecure.su</Content>
      </IndicatorItem>
      <IndicatorItem id="1b619eb3-4c35-4c47-bc82-10962d5a4771" condition="is">
        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />
        <Content type="IP">198.162.116.16</Content>
      </IndicatorItem>
      <IndicatorItem id="219264d9-3355-4da8-81d6-10bfe8ae23de" condition="is">
        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />
        <Content type="IP">93.186.171.133</Content>
      </IndicatorItem>
      <IndicatorItem id="2124ea6c-a4b5-45d4-af46-3e42eec0901b" condition="contains">
        <Context document="Network" search="Network/DNS" type="mir" />
        <Content type="string">proscitomash.com</Content>
      </IndicatorItem>
      <IndicatorItem id="8e31fb06-9bf6-4d62-92b0-adb9daff567a" condition="contains">
        <Context document="Network" search="Network/DNS" type="mir" />
        <Content type="string">quliner.ru</Content>
      </IndicatorItem>
      <IndicatorItem id="40862803-fb91-492d-8f7f-136c7d5ebe49" condition="is">
        <Context document="FileItem" search="FileItem/Md5sum" type="mir" />
        <Content type="md5">91B64502A89D6C47D1ADBDE3EBBF2532</Content>
      </IndicatorItem>
      <IndicatorItem id="76533f85-34a2-4812-8311-9e96c07c913c" condition="is">
        <Context document="PortItem" search="PortItem/remoteIP" type="mir" />
        <Content type="IP">209.85.229.104</Content>
      </IndicatorItem>
    </Indicator>
  </definition>
</ioc>