Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Pony checkin

From: Joel Esler <joel.esler () me com>
Date: Thu, 31 Oct 2013 09:00:15 -0400

On Oct 30, 2013, at 7:29 PM, James Lay <jlay () slave-tothe-box net> wrote:


On Oct 30, 2013, at 4:55 PM, James Lay <jlay () slave-tothe-box net> wrote:


Didn't see this in the current sets:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Win32/Pony Checkin"; flow:to_server,established; content:"POST"; 
content:"HTTP|2f|1.0"; pcre:"/[a-f0-9]{10,12}/\x2f[a-f0-9]{10,12}/Ui"; 
content:"Content-Type|3a| application/octet-stream"; http_header; 
reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; 
classtype:trojan-activity; sid:10000109; rev:1;)

Tested for errors, but not much more (it's late :P)

James



Sloppy work…changed here:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Pony Checkin"; 
flow:to_server,established; content:"POST"; http_method; content:"HTTP|2f|1.0"; 
pcre:”/\x2f[a-f0-9]{10,12}\x2f[a-f0-9]{10,12}/Ui"; content:"Content-Type|3a| application/octet-stream"; http_header; 
reference:url,www.invincea.com/2013/10/k-i-a-state-of-ca-beacon-hijacked-kore-exploit-kit-serving-bestav-pony"; 
classtype:trojan-activity; sid:10000109; rev:1;)



Thanks James, we’ll have someone take a look!

--
Joel Esler
AEGIS Intelligence Lead
OpenSource Community Manager
Vulnerability Research Team, Sourcefire
------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: