Snort mailing list archives
Mac OSX Ransomware
From: Paul Bottomley <Paul.Bottomley () betfair com>
Date: Thu, 18 Jul 2013 10:20:58 +0000
Morning! Probably not the best written rule given the amount of matches on the regex and I'm sure there are loads of ways to write this rule (see source on pastebin link), so if anyone wants to better this feel free :) http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/ http://pastebin.com/THRQ1Xp2 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"[DELIVERY] Mac OSX Ransomware Excessive iframes"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern; pcre:"/(?:<iframe\s+src=.*){150}/";............) Thanks, Paul ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________
------------------------------------------------------------------------------ See everything from the browser to the database with AppDynamics Get end-to-end visibility with application monitoring from AppDynamics Isolate bottlenecks and diagnose root cause in seconds. Start your free trial of AppDynamics Pro today! http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Mac OSX Ransomware Paul Bottomley (Jul 18)
- Re: Mac OSX Ransomware Nick Randolph (Jul 18)