Re: FP on EXPLOIT-KIT Angler(1:31046)

[Andre DiMino <adimino () sempersecurus org>]

Actually, the negation I used is uricontent:!"aHR0cDovL";

On Wed, Jan 7, 2015 at 1:31 PM, Andre DiMino <adimino () sempersecurus org> wrote:
> I’ve noted a few FP on the EXPLOIT-KIT Angler exploit kit outbound URL
> structure (1:31046) signature. The hits all seem to be related to a
> mobile ad campaigns.  For example, these GET requests trigger the sig:
>
> GET /aHR0cDovL2VtYWlsLWFzc2V0cy5jYXItaG91bmQuY29tL2NoX2F1dG9fYnJhbmRzMS5wbmc=
> HTTP/1.1
> Host: m.scrallshopping[.]com
> Connection: keep-alive
> Accept: image/webp,*/*;q=0.8
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: en-US,en;q=0.8
>
> GET /aHR0cDovL3d3dy5qb2J0aHVuZGVyLmNvbS9lL3BpeGVsLzZyVE9DaTc1Wm1xRjJTTmVveHFGdFlLTA==
> HTTP/1.1
> Host: m.job-binder[.]com
> Connection: keep-alive
> Accept: image/webp,*/*;q=0.8
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: en-US,en;q=0.8
>
> GET /aHR0cHM6Ly9kMjhvdHV3a213NXg2ai5jbG91ZGZyb250Lm5ldC9wZmNsMi9iYWNrZ3JvdW5kLnBuZw==
> HTTP/1.1
> Host: m.shieldchaz[.]com
> Connection: keep-alive
> Accept: image/webp,*/*;q=0.8
> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
> Accept-Encoding: gzip, deflate, sdch
> Accept-Language: en-US,en;q=0.8
>
> GET /aHR0cDovL3d3dy5qb2J0aHVuZGVyLmNvbS9lL3BpeGVsL1ZzZXlVNlpKTUozV1FFaFlFUnhVNUNEZA==
> HTTP/1.1
> Host: m.headhuntexpress[.]com
> Connection: keep-alive
> Accept: image/webp,*/*;q=0.8
> User-Agent: Mozilla/5.0 (Linux; Android 4.4.4; XT1080 Build/SU5-24)
> AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/33.0.0.0
> Mobile Safari/537.36
> Accept-Encoding: gzip,deflate
> Accept-Language: en-US
> X-Requested-With: com.yahoo.mobile.client.android.mail
>
> All the Base64 URI point to an image file hosted elsewhere. Some
> registrations associated with the domains I’ve seen are Cognius,
> Yorkshire Affiliate Promotions, "ReferenceAdvisor", and Azrael
> Creatives.  The m[dot] domains seem to indicate mobile versions of the
> site. I'm suspecting it might just be some attempt to obfuscate the
> URLs of mobile ad campaigns?
>
> In any case, while probably not ideal, I'm going to try negating the
> "aHR0cDovL3" seen in the beginning of the URI to see if it cuts down
> these particular Angler FP.
>
> Any similar observations or thoughts?
> --
>
> Andre' M. DiMino
> DeepEnd Research
> http://deependresearch.org
> http://sempersecurus.org
>
> "Make sure that nobody pays back wrong for wrong, but always try to be
> kind to each other and to everyone else" - 1 Thess 5:15 (NIV)



-- 

Andre' M. DiMino
DeepEnd Research
http://deependresearch.org
http://sempersecurus.org

"Make sure that nobody pays back wrong for wrong, but always try to be
kind to each other and to everyone else" - 1 Thess 5:15 (NIV)

------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!