Sig help (Tumblr redirect)

["Lay, James" <james.lay () wincofoods com>]

Team,

 

Recently I've been seeing spams as shown below:

 

 

Your inbox is full of surprises from a special someone. You should go
check it out now. To receive this special gift, View Here

 

 

 

Sent from Yahoo! Mail on Android

 

 

The "view here" goes to links such as (one used the t.co url shortening
service however before going to Tumblr):

kmghoshk.tumblr.com

wcmxztol.tumblr.com

 

These links contain the below obfuscated javascript:

 

var dnc='http'; var ghmr='://e'; function ertryu(wnz,hfy){return
wnz+hfy} var ndnkkl=ertryu(dnc,ghmr);var qvst='card'; var fcv='love';
function ikgofp(gtq,ojh){return gtq+ojh} var pdgfvt=ikgofp(qvst,fcv);var
ymm='wis'; var zko='h.co'; function hgypvh(ocu,cln){return ocu+cln} var
ehillv=hgypvh(ymm,zko);var jah='m/?'; var wlo='6QBc'; var ehjh='kb';
function iatyan(rcw,dgi,ygk){return rcw+dgi+ygk} var
hjgfam=iatyan(jah,wlo,ehjh); var kwzkgy=ndnkkl+pdgfvt+ehillv+hjgfam;
document.location = kwzkgy

 

var uvw='http'; var unn='://e'; function xoimr(qmn,cey){return qmn+cey}
var opbsj=xoimr(uvw,unn);var jvgt='card'; var smo='lov'; function
dbog(tzp,nqh){return tzp+nqh} var rvoa=dbog(jvgt,smo);var foi='ersw';
var rth='ish'; function qzhlg(uwu,mrg){return uwu+mrg} var
wtzdi=qzhlg(foi,rth);var hqzh='.com'; var vrly='/?C'; function
shfq(fgk,yom){return fgk+yom} var vzby=shfq(hqzh,vrly);var dih='qdve';
var ibt='e'; function rdetyd(xep,itr){return xep+itr} var
ybvpit=rdetyd(dih,ibt); var vaybau=opbsj+rvoa+wtzdi+vzby+ybvpit;
document.location = vaybau

 

These decode to links pointing to:

hxxp://ecardlovewish.com/?6QBckb

 

Which in turn go to silly dating sites (iHookup, ScoreNextDoor, etc...).
The below sig matches hex on ='://e';

 

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:""WEB-CLIENT
Tumblr spam redirect"; flow:from_server; file_data; content:"|3d 27 3a
2f 2f 65 27 3b|"; nocase; metadata:policy security-ips drop, service
http; classtype:bad-unknown; sid:10000014; rev:1;)

 

Is there a better way to catch these or clean this up?  Thanks.

 

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!