Re: Pony checkin

[James Lay <jlay () slave-tothe-box net>]

On Oct 30, 2013, at 4:55 PM, James Lay <jlay () slave-tothe-box net> wrote:

> Didn't see this in the current sets:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Win32/Pony Checkin"; flow:to_server,established; content:"POST"; 
> content:"HTTP|2f|1.0"; pcre:"/[a-f0-9]{10,12}/\x2f[a-f0-9]{10,12}/Ui"; 
> content:"Content-Type|3a| application/octet-stream"; http_header; 
> reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; 
> classtype:trojan-activity; sid:10000109; rev:1;)
>
> Tested for errors, but not much more (it's late :P)
>
> James

Sloppy work…changed here:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Pony Checkin"; flow:to_server,established; 
content:"POST"; http_method; content:"HTTP|2f|1.0"; pcre:”/\x2f[a-f0-9]{10,12}\x2f[a-f0-9]{10,12}/Ui"; 
content:"Content-Type|3a| application/octet-stream"; http_header; 
reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; 
classtype:trojan-activity; sid:10000109; rev:1;)

Thanks to rmkml…sharp!

James

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!