Re: Malicious UA sig thoughts

["lists () packetmail net" <lists () packetmail net>]

On 09/18/12 10:55, James Lay wrote:
> I've been tracking a malicious email campaign that, via email, fires 
> sig 24102.  The email is usually a single image and link pointing to a 
> compromised server.  Once this is clicked a zip file is served 
> (currently INVOICE_FORM.zip); once extracted INVOICE_FORM.exe is 
> created, and once run, injects code into svchost.exe.  The below is a 
> sig to catch the UA on port 84 which it uses in my testing of multiple 
> exe's:

Excellent find, analysis, and write-up James!  I wonder too if there's some
value in some type of signature like:

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"VRT COMMUNITY POLICY
HTTP User-Agent and Host header seen on port not defined in HTTP_PORTS to
EXTERNAL_NET could be malware"; flow:to_server,established; content:"|0d
0a|User-Agent|3a 20|"; fast_pattern:only; content:"|0d 0a|Host|3a 20|"; nocase;
classtype:policy-violation; sid:x; rev:1;)

Cheers,
Nathan

Thanks,
Nathan

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!