Re: [Emerging-Sigs] Rule 18773

[Joel Esler <jesler () sourcefire com>]

James,

This is actually our sig, not emerging threats.  I'll take a look at what
you are saying below, I am sure there are plenty of samples I can pull from.

J

On Dec 9, 2011, at 4:42 PM, Lay, James wrote:

Rule:****
** **
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BLACKLIST URI request
for known malicious URI - /stat.htm"; flow:to_server,established;
content:"/stat.htm?id="; nocase; http_uri; content:"&r="; within:3;
distance:7; nocase; http_uri; content:"&repeatip="; distance:0; nocase;
http_uri; content:"&rtime="; distance:0; nocase; http_uri;
content:"&cnzz_eid="; distance:0; nocase; http_uri; reference:url,
labs.snort.org/iplists/urllist-2011-04-07; classtype:trojan-activity;
sid:18773; rev:2;)****
** **
So….I’ve been looking at this rule today and noticed a few things.  First
off, I’ve noticed that almost all the hits I’ve seen seem to be called from
a stat.php link now.  Here's an example flow:****
** **
Origin site (compromised?) code snippet:****
<div align="center" style="display:none">****
<script src="hxxp://s11.bleh.com/stat.php?id=2208120&web_id=2208120"
language="JavaScript"></script>****
</div>****
** **
> From the GETting stat.php:****
HTTP/1.1 200 OK****
Expires: Fri, 09 Dec 2011 21:19:33 GMT****
Date: Fri, 09 Dec 2011 19:49:33 GMT****
Server: Apache/2.2.19 (Unix)****
Last-Modified: Fri, 09 Dec 2011 19:49:33 GMT****
Content-Length: 2394****
Content-Type: text/html****
Age: 1409****
X-Via: 1.1 dg46:8105 (Cdn Cache Server V2.0)****
Connection: keep-alive****
****
function gv_cnzz(of){****
<snip>****
document.write('<img src="
hxxp://hzs11.bleh.com/stat.htm?id=2208120'+cnzz_data+'" border=0 width=0
height=0 />');****
<snip>****
document.cookie="cnzz_eid="+escape(cnzz_eid)+
";expires="+cnzz_ed.toGMTString()+";path=/";****
** **
** **
** **
and from GETing long stat.htm link:****
HTTP/1.1 200 OK****
Server: nginx/1.0.4****
Date: Fri, 09 Dec 2011 20:13:03 GMT****
Content-Type: image/gif****
Transfer-Encoding: chunked****
Connection: close****
****
2b****
GIF89a.............!.......,...........D..;****
0****
****
Would it be beneficial to have a rule that includes the stat.php as well?
Or do we care ;)  Thanks all.****
** **
James****
** **
_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through
Current!

------------------------------------------------------------------------------
Learn Windows Azure Live!  Tuesday, Dec 13, 2011
Microsoft is holding a special Learn Windows Azure training event for 
developers. It will provide a great way to learn Windows Azure and what it 
provides. You can attend the event by watching it streamed LIVE online.  
Learn more at http://p.sf.net/sfu/ms-windowsazure

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!