Re: Mac OSX Ransomware

[Nick Randolph <drandolph () sourcefire com>]

I thought that the content match you had was unique enough to make the PCRE
unnecessary. Here is what the rule will look like.

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER
Mac OSX FBI ransomware"; flow:to_client,established; file_data;
content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop,
policy security-ips drop, ruleset community, service http; reference:url,
blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/;
classtype:trojan-activity; sid:27246; rev:1;)

Thanks Paul


On Thu, Jul 18, 2013 at 6:20 AM, Paul Bottomley
<Paul.Bottomley () betfair com>wrote:

>  Morning!****
>
> ** **
>
> Probably not the best written rule given the amount of matches on the
> regex and I’m sure there are loads of ways to write this rule (see source
> on pastebin link), so if anyone wants to better this feel free J****
>
> ** **
>
>
> http://blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/
> ****
>
> http://pastebin.com/THRQ1Xp2****
>
> ** **
>
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"[DELIVERY] Mac
> OSX Ransomware Excessive iframes"; flow:to_client,established; file_data;
> content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED";
> fast_pattern; pcre:"/(?:<iframe\s+src=.*){150}/";............)****
>
> ** **
>
> Thanks,****
>
> Paul****
>
> ** **
>
> ________________________________________________________________________
> In order to protect our email recipients, Betfair Group use SkyScan from
> MessageLabs to scan all Incoming and Outgoing mail for viruses.
>
> ________________________________________________________________________
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 

Nick Randolph
Research Engineer
Sourcefire, Inc.
nrandolph () sourcefire com
Sourcefire.com <http://www.sourcefire.com/>

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!