Snort mailing list archives
Installcore Downloads and Aggresive Adware Popups (catches numerous variants)
From: "Stanwyck, Carraig - ASOC - Kansas City, MO" <Carraig.Stanwyck () asoc usda gov>
Date: Thu, 19 May 2016 10:36:28 +0000
Good Morning, As usual, my apologies if these are duplicates. I did not find these when grepping the community ruleset. First up, Installcore downloads. This particular campaign mimics the tactics from some of the malware we track by changing domains on an often daily basis, so blocking domains does nothing. See attached XLS I created a few months back tracking those changes for a few days. Log of example traffic attached, pattern hasn't changed in over 6 months, but neither has the activity slowed down. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - Malicious Installcore Download [CS][Oct2015][PUP][CatA]"; flow:to_server,established; content:"c?x="; http_uri; distance:0; content:"&c="; http_uri; distance:0; classtype:trojan-activity; sid:123456789; rev:1;) Next up, this rule will catch check-ins and downloads for the following aggressive adware programs developed by Yontoo; Rock Turner (https://malwaretips.com/blogs/rock-turner-virus/), Bomlabio (https://malwaretips.com/blogs/ads-by-bomlabio-removal/), My Buzz Search (https://malwaretips.com/blogs/buzzsearch-virus-removal/), and Looking Link (https://malwaretips.com/blogs/lookinglink-virus-removal/). No referrer, no UA. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - Yontoo Adware Variants [CS][May2016][PUP][CatA]"; flow:to_server,established; content:"gdi?alpha="; http_uri; content:!"Referer|3a 20|"; http_header; classtype:trojan-activity; sid:123456789; rev:1;) Regards, Carraig Stanwyck USDA | OCIO | ASOC @C4RR41G This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
Attachment:
Installcore Domain Analysis.xlsx
Description: Installcore Domain Analysis.xlsx
Attachment:
Installcore-downloads.txt
Description: Installcore-downloads.txt
Attachment:
YontooVariants.txt
Description: YontooVariants.txt
------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Installcore Downloads and Aggresive Adware Popups (catches numerous variants) Stanwyck, Carraig - ASOC - Kansas City, MO (May 19)