Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] Malicious swf sig

From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 10 Dec 2014 14:29:29 -0700
 

On 2014-12-10 01:58 PM, Will Metcalf wrote: 


Will check into

those on the ET side. For some reason I think I've seen leading dir
sometimes could be wrong though.. 

Regards, 
Will 

On Wed, Dec

10, 2014 at 1:09 PM, James Lay <jlay () slave-tothe-box net [15]> wrote:





On 2014-12-10 11:11 AM, Shefferman, Ian wrote:


So far I've

seen these Flash files used primarily (and probably

solely) to

redirect to Angler exploit kit "32x32" gates. A typical

chain is as

follows:


(Source:

http://malware-traffic-analysis.net/2014/10/30/index.html [1])




GET kj-invest.com/2de96bd378d6e6614297e27284fdb335.swf [2]

POST






newfamilynutrition.com/c9e9975e0f51af3ce1354090fb303d8e.php?q=87086c5336208ce7836edca90ecc8d25
[3]

# this POST request is made by the SWF
GET

qwe.leucaenaleucocephalaporno.net/7xibe37z48 [4] # actual Angler EK



GET




qwe.leucaenaleucocephalaporno.net/4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
[5]


The SWF receives parameters dynamically through HTML param

attributes

to determine where to redirect.

-----Original

Message-----

From: emerging-sigs-bounces () lists emergingthreats net

[6]

[mailto:emerging-sigs-bounces () lists emergingthreats net [7]] On

Behalf Of

James Lay
Sent: Wednesday, December 10, 2014 11:27

AM

To: Snort-sigs; Emerging
Subject: [Emerging-Sigs] Malicious

swf sig


Didn't see this in current sets, so here goes. Seen

this in the

wild...attaching as an image for safety. The Shockwave

file does a

simple URLrequest. Interesting thing to note was the

ETag in the

response:

GET

/f4ce3f4ef065f157d07dd20977598b0e.swf HTTP/1.1

Accept: */*


Accept-Language: en-US

Referer: www.futurehopping.com [8] /

self-sustaining-greenhouse/

x-flash-version: 14,0,0,176


User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;
WOW64;

Trident/5.0)
Host: 2dollarpeepshow.com [9]


Cache-Control: max-stale=0

Connection: Keep-Alive
Pragma:

no-cache


HTTP/1.1 200 OK
Date: Tue, 09 Dec 2014 23:55:31

GMT

Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 02 Dec

2014 15:35:51 GMT

ETag: "2f184b-3bc-5093d7b5e83c0"


Accept-Ranges: bytes

Content-Length: 956
Connection: close


Content-Type: application/x-shockwave-flash


Not sure if this is

isolated, or an infection of some sort....the

iframe parameter might

be able to be sig'd up as well:


iframe

name="37BF769D6F28F3EA27520E9EC44C0644"



id="37BF769D6F28F3EA27520E9EC44C0644"




style="position:absolute;top:5000px;left:5000px;width:300px;height:300px;">redacted>





Anyway sig here:
alert tcp $HOME_NET any -> $EXTERNAL_NET

$HTTP_PORTS

(msg:"MALWARE-OTHER Malicious Shockwave redirect

script";

content:"|2e|swf"; fast_pattern:only;

pcre:"/[0-9a-z]{16}.swf/";

metadata:impact_flag red, policy

balanced-ips drop, policy

security-ips drop, service http;

reference:




url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977
[10];"


classtype:trojan-activity; sid:10000147; rev:1;)




All the previous names are 16 characters (thanks VT) so that's

what

I'm matching on..might help out someone somewhere...thoughts

and fixes

are welcome..thanks all.

James

Ok..this one

should be a little better..clearly I'm not good at making sigs ;) :





alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS

(msg:"MALWARE-OTHER Angler Landing Gate"; content:"|2e|swf";
fast_pattern:only; pcre:"/GET |2f|[0-9a-z]{16}.swf/";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, service http; reference:
url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977
[11]; classtype:trojan-activity; sid:10000147; rev:3;)


James 




_______________________________________________
Emerging-sigs

mailing list

Emerging-sigs () lists emergingthreats net [12]


https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs [13]





Support Emerging Threats! Subscribe to Emerging Threats Pro

http://www.emergingthreats.net [14]

Interesting....the one I saw had no
leading directory...and 16 characters instead of 32. 

James


Links:
------
[1]
http://malware-traffic-analysis.net/2014/10/30/index.html
[2]
http://kj-invest.com/2de96bd378d6e6614297e27284fdb335.swf
[3]
http://newfamilynutrition.com/c9e9975e0f51af3ce1354090fb303d8e.php?q=87086c5336208ce7836edca90ecc8d25
[4]
http://qwe.leucaenaleucocephalaporno.net/7xibe37z48
[5]
http://qwe.leucaenaleucocephalaporno.net/4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
[6]
mailto:emerging-sigs-bounces () lists emergingthreats net
[7]
mailto:emerging-sigs-bounces () lists emergingthreats net
[8]
http://www.futurehopping.com
[9] http://2dollarpeepshow.com
[10]
http://www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977
[11]
http://www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977
[12]
mailto:Emerging-sigs () lists emergingthreats net
[13]
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
[14]
http://www.emergingthreats.net
[15] mailto:jlay () slave-tothe-box net

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: