Snort mailing list archives

Previous By Date Next
Previous By Thread Next

BHv2 Mailing Campaign Gate natpay.html

From: Community Proposed <lists () packetmail net>
Date: Thu, 6 Jun 2013 11:31:28 -0500
Another BHv2 mailing campaign, all the gates at the moment are pointing to
hxxp://usforclosedhomes.net/news/walls_autumns-serial.php which is /news/ BHv2
and should be covered with existing sigs.  Message Subjects start with the text
"Transmission Confirmation ~"

We've got some good IP candidates associated with malware.

 ;; ANSWER SECTION:
 usforclosedhomes.net.   16      IN      A       46.18.160.86
 usforclosedhomes.net.   16      IN      A       93.89.235.13
 usforclosedhomes.net.   16      IN      A       112.170.169.56
 usforclosedhomes.net.   16      IN      A       41.89.6.179

Snort Sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
BHv2 EK Initial Gate from NatPay Mailing Campaign";
flow:established,to_server; content:"/natpay.html?";
http_uri; classtype:trojan-activity; sid:x; rev:1;)

Ran the above through my Hadoop/Hive cluster for 04/01/2013 with no FPs.

Observed Gates:

212.204.194.200 hxxp://cocomobeachclub.nl/natpay.html?refid=I7FO3W39Z-JQSCF43T
212.204.194.200 hxxp://cocomobeachclub.nl/natpay.html?subj=Customer%20Report%20Question~FNQ0YNJ1~21431376
213.186.33.19   hxxp://edpp-peinture.com/natpay.html?message=Customer%20Report%20Question~PW64N6Z9~54557847
213.186.33.19   hxxp://edpp-peinture.com/natpay.html?ref=Z0J1HX60D335_ASJ2ZE6E
80.82.120.30    hxxp://grace-and-glory.com/natpay.html?action=contact&id=B4GCOX56JL_F9MIG0R3
80.82.120.30    hxxp://grace-and-glory.com/natpay.html?subject=Customer%20Report%20Question~F9MIG0R3~32549389
89.45.166.170   hxxp://hotelplutitor-deltadunarii.ro/natpay.html?ref_id=Y3CKJMYI3_B8FY111N
89.45.166.170   hxxp://hotelplutitor-deltadunarii.ro/natpay.html?subj=Customer%20Report%20Question~WOBLRJ4P~37382413
91.206.201.249  hxxp://kurortnoe.net/natpay.html?message=Customer%20Report%20Question~0P7HPPSJ~51037958
82.165.107.162  hxxp://rockundpop.info/natpay.html?contact_us=WR9EZZJ4B9_EM92D6KW
103.4.217.233   hxxp://trainingsrt.com/natpay.html?msg=Customer%20Report%20Question~GPBMQB4T~20508276
81.177.140.12   hxxp://viadolorosa.ru/natpay.html?contact=6HL38VT050_E861QJ73
81.177.140.12   hxxp://viadolorosa.ru/natpay.html?subj=Customer%20Report%20Question~PQW5CQH4~54668962
184.106.55.29   hxxp://www.mobilis.us.com/natpay.html?action=contact&id=L22OM528G8_K4M89CEY
184.106.55.29   hxxp://www.mobilis.us.com/natpay.html?contact_us=TVSXRCO7HG_4VKLH1KB
184.106.55.29   hxxp://www.mobilis.us.com/natpay.html?msg=Customer%20Report%20Question~4VKLH1KB~33052404
184.106.55.29   hxxp://www.mobilis.us.com/natpay.html?msg=Customer%20Report%20Question~K4M89CEY~24368422
184.106.55.29   hxxp://www.mobilis.us.com/natpay.html?ref=6YBG8EV5&id=4VKLH1KB
89.42.216.40    hxxp://www.pelisem.ro/natpay.html?ref=8BAF5AVDE_6LH0YGK0
79.172.241.39   hxxp://zpt.hu/natpay.html?ref_id=3U25K06E_D9ILSMP6


------------------------------------------------------------------------------
How ServiceNow helps IT people transform IT departments:
1. A cloud service to automate IT design, transition and operations
2. Dashboards that offer high-level views of enterprise services
3. A single system of record for all IT processes
http://p.sf.net/sfu/servicenow-d2d-j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: