Re: Openadvertising.com Malware Campaign malicious jar sigs

[Joel Esler <jesler () sourcefire com>]

BTW -- sig 26653 also catches this.


On Jun 19, 2013, at 9:46 AM, Joel Esler <jesler () sourcefire com> wrote:

> All,
>
> I have rules that will ship in the next rule pack for these already written.  I'll add the community tag to them so 
> they go out for free.
>
>
> On Jun 18, 2013, at 7:31 PM, lists () packetmail net wrote:
>
> > On 06/18/2013 06:06 PM, Joel Esler wrote:
> > > Thanks James!
> >
> > I've got hits and these aren't what I'm seeing, I was seeing 16-byte by 16-byte
> > to these; James good sig but I see your &k=&h= concatenated together without the
> > 16-byte values.  As always James, you rock, despite what Joel says about you :)
> >
> > hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57
> >
> > hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57
> >
> > hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57
> >
> > hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96
> >
> > hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89
> >
> > hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650
> >
> > Recommending:
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> > (msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign
> > URI request"; flow:to_server,established;
> > content:"/.cache/?f="; http_uri; fast_pattern;
> > pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U";
> > metadata:policy balanced-ips drop, policy security-ips drop, service http;
> > reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html;
> > classtype:trojan-activity; sid:10000079; rev:1;
> >
> > These will catch all variants with no FPs, I ran 05/01/2013+ with the below Hive
> > query:
> >
> > SELECT distinct
> > date_time,user_name,client_ip,http_status,block_reason,url_body_size,media_type,dest_ip,url,url_referrer,user_agent
> > FROM webwasher_full where day>='2013-05-01' and http_status <> '407'
> > and url rlike 'http:\\/\\/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$'
> >
> > Cheers,
> > Nathan
> >
> > ------------------------------------------------------------------------------
> > This SF.net email is sponsored by Windows:
> >
> > Build for Windows Store.
> >
> > http://p.sf.net/sfu/windows-dev2dev
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs () lists sourceforge net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!