Snort mailing list archives
Sig help (Tumblr redirect)
From: "Lay, James" <james.lay () wincofoods com>
Date: Fri, 29 Jun 2012 08:30:25 -0600
Team, Recently I've been seeing spams as shown below: Your inbox is full of surprises from a special someone. You should go check it out now. To receive this special gift, View Here Sent from Yahoo! Mail on Android The "view here" goes to links such as (one used the t.co url shortening service however before going to Tumblr): kmghoshk.tumblr.com wcmxztol.tumblr.com These links contain the below obfuscated javascript: var dnc='http'; var ghmr='://e'; function ertryu(wnz,hfy){return wnz+hfy} var ndnkkl=ertryu(dnc,ghmr);var qvst='card'; var fcv='love'; function ikgofp(gtq,ojh){return gtq+ojh} var pdgfvt=ikgofp(qvst,fcv);var ymm='wis'; var zko='h.co'; function hgypvh(ocu,cln){return ocu+cln} var ehillv=hgypvh(ymm,zko);var jah='m/?'; var wlo='6QBc'; var ehjh='kb'; function iatyan(rcw,dgi,ygk){return rcw+dgi+ygk} var hjgfam=iatyan(jah,wlo,ehjh); var kwzkgy=ndnkkl+pdgfvt+ehillv+hjgfam; document.location = kwzkgy var uvw='http'; var unn='://e'; function xoimr(qmn,cey){return qmn+cey} var opbsj=xoimr(uvw,unn);var jvgt='card'; var smo='lov'; function dbog(tzp,nqh){return tzp+nqh} var rvoa=dbog(jvgt,smo);var foi='ersw'; var rth='ish'; function qzhlg(uwu,mrg){return uwu+mrg} var wtzdi=qzhlg(foi,rth);var hqzh='.com'; var vrly='/?C'; function shfq(fgk,yom){return fgk+yom} var vzby=shfq(hqzh,vrly);var dih='qdve'; var ibt='e'; function rdetyd(xep,itr){return xep+itr} var ybvpit=rdetyd(dih,ibt); var vaybau=opbsj+rvoa+wtzdi+vzby+ybvpit; document.location = vaybau These decode to links pointing to: hxxp://ecardlovewish.com/?6QBckb Which in turn go to silly dating sites (iHookup, ScoreNextDoor, etc...). The below sig matches hex on ='://e'; alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""WEB-CLIENT Tumblr spam redirect"; flow:from_server; file_data; content:"|3d 27 3a 2f 2f 65 27 3b|"; nocase; metadata:policy security-ips drop, service http; classtype:bad-unknown; sid:10000014; rev:1;) Is there a better way to catch these or clean this up? Thanks. James
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Sig help (Tumblr redirect) Lay, James (Jun 29)
- Re: Sig help (Tumblr redirect) Patrick Mullen (Jun 29)
- Re: Sig help (Tumblr redirect) Lay, James (Jun 29)
- Re: Sig help (Tumblr redirect) Joel Esler (Jun 29)
- Re: Sig help (Tumblr redirect) Lay, James (Jun 29)
- Re: Sig help (Tumblr redirect) Patrick Mullen (Jun 29)