Snort mailing list archives
Re: Quick Android/Fakelash.A!tr.spy sig
From: James Lay <jlay () slave-tothe-box net>
Date: Mon, 24 Sep 2012 12:12:03 -0600
On Sep 24, 2012, at 11:40 AM, Joel Esler <jesler () sourcefire com> wrote:
James, It looks like the sections you wrote your sig off of are the text message and the phone number from the phone being sent, this would change every time. So given the information I have I wrote the following: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; http_uri; nocase; content:"&m="; nocase; http_uri; distance:0; content:"&p="; http_uri; nocase; distance:0; content:"&n="; http_uri; nocase; distance:0; metadata:policy security-ips drop, service http; reference:url,http://blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity;) Please let me know how that works out. -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Sep 21, 2012, at 5:14 PM, James Lay <jlay () slave-tothe-box net> wrote:
Thanks Joel…leave it to me to focus on the wrong element 8-| I'll let you know what I see. James
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Quick Android/Fakelash.A!tr.spy sig James Lay (Sep 21)
- Re: Quick Android/Fakelash.A!tr.spy sig Joel Esler (Sep 21)
- Re: Quick Android/Fakelash.A!tr.spy sig Joel Esler (Sep 24)
- Re: Quick Android/Fakelash.A!tr.spy sig James Lay (Sep 24)