Snort mailing list archives
Re: Openadvertising.com Malware Campaign malicious jar sigs
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 19 Jun 2013 09:57:36 -0400
BTW -- sig 26653 also catches this. On Jun 19, 2013, at 9:46 AM, Joel Esler <jesler () sourcefire com> wrote:
All, I have rules that will ship in the next rule pack for these already written. I'll add the community tag to them so they go out for free. On Jun 18, 2013, at 7:31 PM, lists () packetmail net wrote:On 06/18/2013 06:06 PM, Joel Esler wrote:Thanks James!I've got hits and these aren't what I'm seeing, I was seeing 16-byte by 16-byte to these; James good sig but I see your &k=&h= concatenated together without the 16-byte values. As always James, you rock, despite what Joel says about you :) hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57 hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57 hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57 hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96 hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89 hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650 Recommending: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign URI request"; flow:to_server,established; content:"/.cache/?f="; http_uri; fast_pattern; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:10000079; rev:1; These will catch all variants with no FPs, I ran 05/01/2013+ with the below Hive query: SELECT distinct date_time,user_name,client_ip,http_status,block_reason,url_body_size,media_type,dest_ip,url,url_referrer,user_agent FROM webwasher_full where day>='2013-05-01' and http_status <> '407' and url rlike 'http:\\/\\/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$' Cheers, Nathan ------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ This SF.net email is sponsored by Windows: Build for Windows Store. http://p.sf.net/sfu/windows-dev2dev
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Openadvertising.com Malware Campaign malicious jar sigs James Lay (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs lists () packetmail net (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs James Lay (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs James Lay (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs lists () packetmail net (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs James Lay (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 18)