Snort mailing list archives
Re: [Emerging-Sigs] Malicious swf sig
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 10 Dec 2014 14:29:29 -0700
On 2014-12-10 01:58 PM, Will Metcalf wrote:
Will check into
those on the ET side. For some reason I think I've seen leading dir sometimes could be wrong though..
Regards, Will On Wed, Dec
10, 2014 at 1:09 PM, James Lay <jlay () slave-tothe-box net [15]> wrote:
On 2014-12-10 11:11 AM, Shefferman, Ian wrote:So far I've
seen these Flash files used primarily (and probably
solely) to
redirect to Angler exploit kit "32x32" gates. A typical
chain is as
follows:
(Source:
http://malware-traffic-analysis.net/2014/10/30/index.html [1])
GET kj-invest.com/2de96bd378d6e6614297e27284fdb335.swf [2]
POST
newfamilynutrition.com/c9e9975e0f51af3ce1354090fb303d8e.php?q=87086c5336208ce7836edca90ecc8d25 [3]
# this POST request is made by the SWF GET
qwe.leucaenaleucocephalaporno.net/7xibe37z48 [4] # actual Angler EK
GET
qwe.leucaenaleucocephalaporno.net/4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi [5]
The SWF receives parameters dynamically through HTML param
attributes
to determine where to redirect. -----Original
Message-----
From: emerging-sigs-bounces () lists emergingthreats net
[6]
[mailto:emerging-sigs-bounces () lists emergingthreats net [7]] On
Behalf Of
James Lay Sent: Wednesday, December 10, 2014 11:27
AM
To: Snort-sigs; Emerging Subject: [Emerging-Sigs] Malicious
swf sig
Didn't see this in current sets, so here goes. Seen
this in the
wild...attaching as an image for safety. The Shockwave
file does a
simple URLrequest. Interesting thing to note was the
ETag in the
response: GET
/f4ce3f4ef065f157d07dd20977598b0e.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: www.futurehopping.com [8] /
self-sustaining-greenhouse/
x-flash-version: 14,0,0,176
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
Trident/5.0) Host: 2dollarpeepshow.com [9]
Cache-Control: max-stale=0
Connection: Keep-Alive Pragma:
no-cache
HTTP/1.1 200 OK Date: Tue, 09 Dec 2014 23:55:31
GMT
Server: Apache/2.2.15 (CentOS) Last-Modified: Tue, 02 Dec
2014 15:35:51 GMT
ETag: "2f184b-3bc-5093d7b5e83c0"
Accept-Ranges: bytes
Content-Length: 956 Connection: close
Content-Type: application/x-shockwave-flash
Not sure if this is
isolated, or an infection of some sort....the
iframe parameter might
be able to be sig'd up as well:
iframe
name="37BF769D6F28F3EA27520E9EC44C0644"
id="37BF769D6F28F3EA27520E9EC44C0644"
style="position:absolute;top:5000px;left:5000px;width:300px;height:300px;">redacted>
Anyway sig here: alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS
(msg:"MALWARE-OTHER Malicious Shockwave redirect
script";
content:"|2e|swf"; fast_pattern:only;
pcre:"/[0-9a-z]{16}.swf/";
metadata:impact_flag red, policy
balanced-ips drop, policy
security-ips drop, service http;
reference:
url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977 [10];"
classtype:trojan-activity; sid:10000147; rev:1;)
All the previous names are 16 characters (thanks VT) so that's
what
I'm matching on..might help out someone somewhere...thoughts
and fixes
are welcome..thanks all. JamesOk..this one
should be a little better..clearly I'm not good at making sigs ;) :
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"MALWARE-OTHER Angler Landing Gate"; content:"|2e|swf"; fast_pattern:only; pcre:"/GET |2f|[0-9a-z]{16}.swf/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference: url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977 [11]; classtype:trojan-activity; sid:10000147; rev:3;)
James
_______________________________________________ Emerging-sigs
mailing list
Emerging-sigs () lists emergingthreats net [12]
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs [13]
Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net [14] Interesting....the one I saw had no leading directory...and 16 characters instead of 32. James Links: ------ [1] http://malware-traffic-analysis.net/2014/10/30/index.html [2] http://kj-invest.com/2de96bd378d6e6614297e27284fdb335.swf [3] http://newfamilynutrition.com/c9e9975e0f51af3ce1354090fb303d8e.php?q=87086c5336208ce7836edca90ecc8d25 [4] http://qwe.leucaenaleucocephalaporno.net/7xibe37z48 [5] http://qwe.leucaenaleucocephalaporno.net/4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi [6] mailto:emerging-sigs-bounces () lists emergingthreats net [7] mailto:emerging-sigs-bounces () lists emergingthreats net [8] http://www.futurehopping.com [9] http://2dollarpeepshow.com [10] http://www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977 [11] http://www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977 [12] mailto:Emerging-sigs () lists emergingthreats net [13] https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs [14] http://www.emergingthreats.net [15] mailto:jlay () slave-tothe-box net
------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Malicious swf sig James Lay (Dec 10)
- Message not available
- Re: [Emerging-Sigs] Malicious swf sig James Lay (Dec 10)
- Message not available
- Message not available
- Re: [Emerging-Sigs] Malicious swf sig James Lay (Dec 10)
- Re: [Emerging-Sigs] Malicious swf sig Will Metcalf (Dec 10)
- Re: [Emerging-Sigs] Malicious swf sig James Lay (Dec 10)
- Re: [Emerging-Sigs] Malicious swf sig James Lay (Dec 10)