Snort mailing list archives
Re: This is familer
From: Joel Esler <jesler () sourcefire com>
Date: Sun, 19 May 2013 13:11:07 -0400
Thanks James. On May 17, 2013, at 5:14 PM, James Lay <jlay () slave-tothe-box net> wrote:
Yay..just like that one --c32 malware that kept popping up everywhere months ago, comes ded509 (google that..it's a hoot): alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:established,to_client; file_data; content:"<!--ded509-->"; distance:0; content:"<!--/ded509-->"; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,http://www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:10000063; rev:1;) Currently being served at: hxxp://tascq.dreamhosters.com/owner.html Cleverly disguised as a "spam" email (something about satisfying lades). The jsunpack reference is a different one, so eh...it's spotty out in the wild I guess. Enjoy on a Friday! James ------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ AlienVault Unified Security Management (USM) platform delivers complete security visibility with the essential security capabilities. Easily and efficiently configure, manage, and operate all of your security controls from a single console and one unified framework. Download a free trial. http://p.sf.net/sfu/alienvault_d2d _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- This is familer James Lay (May 17)
- Re: This is familer Joel Esler (May 19)