IP address check to anonymous-servers.com

[Tony Robinson <deusexmachina667 () gmail com>]

Hello,

Got some interesting indicators from MalwareMustDie that there are
some malware variants that check anonymous-servers.com/ip/ip.php to
figure out where they're at. I wrote a couple of snort rules.
Apologies if these have already been submitted.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI possible IP address check to anonymous-servers.com";
flow:to_server,established; content:"GET"; http_method;
content:"/ip/ip.php"; fast_pattern:only; http_uri;
metadata:security-ips drop service http; classtype:trojan-activity;
sid:1000000; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
request to anonymous-servers.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|11|anonymous-servers|03|com";
fast_pattern:only; metadata:policy security-ips drop, service dns;
classtype:trojan-activity; sid:1000001; rev:1;)

comments? improvements?

-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!