Snort mailing list archives
Pony checkin
From: James Lay <jlay () slave-tothe-box net>
Date: Wed, 30 Oct 2013 16:55:29 -0600
Didn't see this in the current sets:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC
Win32/Pony Checkin"; flow:to_server,established; content:"POST";
content:"HTTP|2f|1.0"; pcre:"/[a-f0-9]{10,12}/\x2f[a-f0-9]{10,12}/Ui";
content:"Content-Type|3a| application/octet-stream"; http_header;
reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony";
classtype:trojan-activity; sid:10000109; rev:1;)
Tested for errors, but not much more (it's late :P)
James
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Pony checkin James Lay (Oct 30)
- Re: Pony checkin James Lay (Oct 30)
- Re: Pony checkin Joel Esler (Oct 31)
- Re: Pony checkin James Lay (Oct 30)