Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Rule Submissions

From: "Stanwyck, Carraig - ASOC - Kansas City, MO" <Carraig.Stanwyck () asoc usda gov>
Date: Wed, 18 May 2016 08:55:29 +0000
Good Morning,

My apologies if these are duplicates.

DriverRestore | DriverWhiz (383media.com).  We caught this app sending user information (computer name, user name, user 
access level, etc) as part of the URI when communicating with the C2.  It's pretty aggressive adware, the type that 
finds problems that don't exist and expects payment to fix those non-existent problems.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - Malware User Agent (DriverRestore) 
[CS][May2016][PUP][CatA])"; flow:established,to_server; content:"User-Agent|3A 20|DriverRestore"; http_header; nocase; 
reference:url,http://www.shouldiremoveit.com/DriverRestore-121212-program.aspx; classtype:trojan-activity; 
sid:123456789; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - Malware User Agent (DriverWhiz) 
[CS][May2016][PUP][CatA])"; flow:established,to_server; content:"User-Agent|3A 20|DriverWhiz"; http_header; nocase; 
reference:url,https://www.symantec.com/security_response/writeup.jsp?docid=2015-071014-4617-99&tabid=2; 
classtype:trojan-activity; sid:123456789; rev:1;)

These other two are user agents of aggressive adware as well.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - BLACKLIST User Agent (PCAcceleratePro) 
[CS][May2016][PUP][CatA])"; flow:established,to_server; content:"User-Agent|3A 20|PCAcceleratePro"; http_header; 
reference:url,https://www.malwareviz.com/T4/static/html/MalwareViz_e6b495b4842f81aa9fed02ccf0f2541c.html#; 
classtype:trojan-activity; sid:123456789; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - BLACKLIST User Agent Spigot (WidgiToolbar) 
[CS][May2016][PUP][CatA])"; flow:established,to_server; content:"User-Agent|3A 20|WidgiToolbar"; http_header; 
reference:url,https://malwaretips.com/blogs/searchsettings-exe-removal/; classtype:trojan-activity; sid:123456789; 
rev:1;)

Carraig Stanwyck
@C4RR41G





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized 
interception of this message or the use or disclosure of the information it contains may violate the law and subject 
the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the 
sender and delete the email immediately.

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: