Snort mailing list archives
Re: Malicious UA sig thoughts
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 18 Sep 2012 11:30:17 -0500
On 09/18/12 10:55, James Lay wrote:
I've been tracking a malicious email campaign that, via email, fires sig 24102. The email is usually a single image and link pointing to a compromised server. Once this is clicked a zip file is served (currently INVOICE_FORM.zip); once extracted INVOICE_FORM.exe is created, and once run, injects code into svchost.exe. The below is a sig to catch the UA on port 84 which it uses in my testing of multiple exe's:
Excellent find, analysis, and write-up James! I wonder too if there's some value in some type of signature like: alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"VRT COMMUNITY POLICY HTTP User-Agent and Host header seen on port not defined in HTTP_PORTS to EXTERNAL_NET could be malware"; flow:to_server,established; content:"|0d 0a|User-Agent|3a 20|"; fast_pattern:only; content:"|0d 0a|Host|3a 20|"; nocase; classtype:policy-violation; sid:x; rev:1;) Cheers, Nathan Thanks, Nathan ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Malicious UA sig thoughts James Lay (Sep 18)
- Re: Malicious UA sig thoughts lists () packetmail net (Sep 18)
- Re: Malicious UA sig thoughts James Lay (Sep 18)
- Re: Malicious UA sig thoughts Joel Esler (Sep 18)
- Re: Malicious UA sig thoughts James Lay (Sep 18)
- Re: Malicious UA sig thoughts lists () packetmail net (Sep 18)