Snort mailing list archives
Re: TIFF images in MS-Office documents used in targeted attacks
From: Paul Bottomley <Paul.Bottomley () betfair com>
Date: Wed, 6 Nov 2013 09:54:45 +0000
Good write up here: http://www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets " Network traffic Perform HTTP GET requests, some examples are: /logitech/rt.php?cn=xx@<username>&str=&file=no /green/srt.php?cn=xx@<username>&str=&file=no /funbox/rt.php?cn=<MACHINE_NAME>@<USER>&str=&file=no /joy/rt.php?cn=<MACHINE_NAME>@<USER>&str=&file=no You can look for the pattern "&str=&file=no" in your proxy logs to find infected systems. - See more at: http://www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets#sthash.9KXcNyRm.dpuf" So something like: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Outbound connection related to ms office zero day "; flow:established,to_server; content:"&str=&file=no"; fast_pattern:only; http_uri; reference:url, alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; priority:1; sid:xxxxxxx; rev:1;) Maybe you could incorporate some regex... \/[a-z]{2,3}\.php\?cn\=[a-z@<>]*\&str\=\&file\=no I've not tested the above... Paul -----Original Message----- From: James Lay [mailto:jlay () slave-tothe-box net] Sent: 05 November 2013 18:49 To: Snort-sigs Subject: [Snort-sigs] TIFF images in MS-Office documents used in targeted attacks Per ISC TIFF images in MS-Office documents used in targeted attacks http://isc.sans.edu/diary.html?n&storyid=16964 Anyone got any pcaps/additional info on this? James ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort! ________________________________________________________________________ In order to protect our email recipients, Betfair Group use SkyScan from MessageLabs to scan all Incoming and Outgoing mail for viruses. ________________________________________________________________________ ------------------------------------------------------------------------------ November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- TIFF images in MS-Office documents used in targeted attacks James Lay (Nov 05)
- Re: TIFF images in MS-Office documents used in targeted attacks Paul Bottomley (Nov 06)
- Re: TIFF images in MS-Office documents used in targeted attacks Joel Esler (Nov 06)
- Re: TIFF images in MS-Office documents used in targeted attacks James Lay (Nov 06)