Re: Malicious UA sig thoughts

[James Lay <jlay () slave-tothe-box net>]

On 2012-09-18 10:30, lists () packetmail net wrote:
> On 09/18/12 10:55, James Lay wrote:
> > I've been tracking a malicious email campaign that, via email, fires
> > sig 24102.  The email is usually a single image and link pointing to 
> > a
> > compromised server.  Once this is clicked a zip file is served
> > (currently INVOICE_FORM.zip); once extracted INVOICE_FORM.exe is
> > created, and once run, injects code into svchost.exe.  The below is 
> > a
> > sig to catch the UA on port 84 which it uses in my testing of 
> > multiple
> > exe's:
>
> Excellent find, analysis, and write-up James!  I wonder too if 
> there's some
> value in some type of signature like:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"VRT
> COMMUNITY POLICY
> HTTP User-Agent and Host header seen on port not defined in 
> HTTP_PORTS to
> EXTERNAL_NET could be malware"; flow:to_server,established; 
> content:"|0d
> 0a|User-Agent|3a 20|"; fast_pattern:only; content:"|0d 0a|Host|3a
> 20|"; nocase;
> classtype:policy-violation; sid:x; rev:1;)
>
> Cheers,
> Nathan
>
> Thanks,
> Nathan


Thanks Nathan,

I think I'll try and test out your rule...I'll let you know how it 
flies.

James

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!