Installcore Downloads and Aggresive Adware Popups (catches numerous variants)

["Stanwyck, Carraig - ASOC - Kansas City, MO" <Carraig.Stanwyck () asoc usda gov>]

Good Morning,

As usual, my apologies if these are duplicates.  I did not find these when grepping the community ruleset.

First up, Installcore downloads.  This particular campaign mimics the tactics from some of the malware we track by 
changing domains on an often daily basis, so blocking domains does nothing.  See attached XLS I created a few months 
back tracking those changes for a few days.  Log of example traffic attached, pattern hasn't changed in over 6 months, 
but neither has the activity slowed down.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - Malicious Installcore Download 
[CS][Oct2015][PUP][CatA]"; flow:to_server,established; content:"c?x="; http_uri; distance:0; content:"&c="; http_uri; 
distance:0; classtype:trojan-activity; sid:123456789; rev:1;)


Next up, this rule will catch check-ins and downloads for the following aggressive adware programs developed by Yontoo; 
Rock Turner (https://malwaretips.com/blogs/rock-turner-virus/), Bomlabio 
(https://malwaretips.com/blogs/ads-by-bomlabio-removal/), My Buzz Search 
(https://malwaretips.com/blogs/buzzsearch-virus-removal/), and Looking Link 
(https://malwaretips.com/blogs/lookinglink-virus-removal/).  No referrer, no UA.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - Yontoo Adware Variants  
[CS][May2016][PUP][CatA]"; flow:to_server,established; content:"gdi?alpha="; http_uri; content:!"Referer|3a 20|"; 
http_header; classtype:trojan-activity; sid:123456789; rev:1;)

Regards,

Carraig Stanwyck
USDA | OCIO | ASOC
@C4RR41G




This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized 
interception of this message or the use or disclosure of the information it contains may violate the law and subject 
the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the 
sender and delete the email immediately.

Attachment: Installcore Domain Analysis.xlsx
Description: Installcore Domain Analysis.xlsx

Attachment: Installcore-downloads.txt
Description: Installcore-downloads.txt

Attachment: YontooVariants.txt
Description: YontooVariants.txt

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!