![snort logo](/images/snort-logo.png)
Snort mailing list archives
Malicious swf sig
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 10 Dec 2014 09:27:23 -0700
Didn't see this in current sets, so here goes. Seen this in the wild...attaching as an image for safety. The Shockwave file does a simple URLrequest. Interesting thing to note was the ETag in the response:
GET /f4ce3f4ef065f157d07dd20977598b0e.swf HTTP/1.1 Accept: */* Accept-Language: en-US Referer: <redacted>www.futurehopping.com / self-sustaining-greenhouse/ x-flash-version: 14,0,0,176User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Host: 2dollarpeepshow.com Cache-Control: max-stale=0 Connection: Keep-Alive Pragma: no-cache HTTP/1.1 200 OK Date: Tue, 09 Dec 2014 23:55:31 GMT Server: Apache/2.2.15 (CentOS) Last-Modified: Tue, 02 Dec 2014 15:35:51 GMT ETag: "2f184b-3bc-5093d7b5e83c0" Accept-Ranges: bytes Content-Length: 956 Connection: close Content-Type: application/x-shockwave-flashNot sure if this is isolated, or an infection of some sort....the iframe parameter might be able to be sig'd up as well:
<redacted>iframe name="37BF769D6F28F3EA27520E9EC44C0644" id="37BF769D6F28F3EA27520E9EC44C0644" style="position:absolute;top:5000px;left:5000px;width:300px;height:300px;"></iframe<redacted>
Anyway sig here:alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Malicious Shockwave redirect script"; content:"|2e|swf"; fast_pattern:only; pcre:"/[0-9a-z]{16}\.swf/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference: url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977;" classtype:trojan-activity; sid:10000147; rev:1;)
All the previous names are 16 characters (thanks VT) so that's what I'm matching on..might help out someone somewhere...thoughts and fixes are welcome..thanks all.
James
Attachment:
2014-12-10 09_07_27-_new 1 - Notepad++.png
Description:
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Malicious swf sig James Lay (Dec 10)
- Message not available
- Re: [Emerging-Sigs] Malicious swf sig James Lay (Dec 10)
- Message not available
- Message not available
- Re: [Emerging-Sigs] Malicious swf sig James Lay (Dec 10)
- Re: [Emerging-Sigs] Malicious swf sig Will Metcalf (Dec 10)
- Re: [Emerging-Sigs] Malicious swf sig James Lay (Dec 10)
- Re: [Emerging-Sigs] Malicious swf sig James Lay (Dec 10)