Snort mailing list archives
Re: Openadvertising.com Malware Campaign malicious jar sigs
From: "lists () packetmail net" <lists () packetmail net>
Date: Tue, 18 Jun 2013 18:31:29 -0500
On 06/18/2013 06:06 PM, Joel Esler wrote:
Thanks James!
I've got hits and these aren't what I'm seeing, I was seeing 16-byte by 16-byte
to these; James good sig but I see your &k=&h= concatenated together without the
16-byte values. As always James, you rock, despite what Joel says about you :)
hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57
hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57
hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57
hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96
hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89
hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650
Recommending:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign
URI request"; flow:to_server,established;
content:"/.cache/?f="; http_uri; fast_pattern;
pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U";
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html;
classtype:trojan-activity; sid:10000079; rev:1;
These will catch all variants with no FPs, I ran 05/01/2013+ with the below Hive
query:
SELECT distinct
date_time,user_name,client_ip,http_status,block_reason,url_body_size,media_type,dest_ip,url,url_referrer,user_agent
FROM webwasher_full where day>='2013-05-01' and http_status <> '407'
and url rlike 'http:\\/\\/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$'
Cheers,
Nathan
------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:
Build for Windows Store.
http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Openadvertising.com Malware Campaign malicious jar sigs James Lay (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs lists () packetmail net (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs James Lay (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs James Lay (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs lists () packetmail net (Jun 18)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs James Lay (Jun 19)
- Re: Openadvertising.com Malware Campaign malicious jar sigs Joel Esler (Jun 18)