Snort mailing list archives
InstallFast Malware/Adware Variants
From: "Stanwyck, Carraig - ASOC - Kansas City, MO" <Carraig.Stanwyck () asoc usda gov>
Date: Mon, 13 Jun 2016 20:57:18 +0000
Good Evening, Example download link: (submitted to Hybrid Analysis, 75/100 malicious - https://www.hybrid-analysis.com/sample/7a6c52c189e19f6888465cdddb8a6efdda2c5fdfa0648c65e50626843c745e6f?environmentId=100) 2016/6/12 16:11:10 123.45.67.8 107.22.240.253 80 GET searchinfast.com /Impression/Index/lp_download_click?spsource=googledisplay&user_id=f0e799a2-6346-45f4-8abb-b4de28efb7fc&subid2=&traffic_source=appfocus5&subid=undefined,95693094&referrer=http://installfaster.com/?utm_source=adwords&utm_campaign=372740691&utm_term=download&mt=&network=d&kid=kwd-11592331&aid=23526960531&lpurl=http://installfaster.com http://installfaster.com/?utm_source=adwords&utm_campaign=372740691&utm_term=download&mt=&network=d&kid=kwd-11592331&aid=23526960531&lpurl=http://installfaster.com Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 11 200 Success text/plain NSISDL/1.2 (Mozilla) post-install callback without opening a browser (NOT caught by current rules related to NSISDL/1.2): 2016/6/12 16:11:25 123.45.67.8 52.2.39.169 80 GET imp.searchinfast.com /impression.do?&user_id=f0e799a2-6346-45f4-8abb-b4de28efb7fc&subid=20160612&source=googledisplay&useragent=WindowsNT6.1;Trident/7.0;&adprovider=appfocus5&implementation_id=dm_appfocus5&event=ex_install_start - NSISDL/1.2 (Mozilla) 109 200 OK image/png Example post-install traffic referrer: http://search.searchinfast.com/?uid=f0e799a2-6346-45f4-8abb-b4de28efb7fc&uc=20160612&source=googledisplay&ap=appfocus5&i_id=dm_appfocus5 As a result, I created the following rule: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - InstallFaster Adware Variants [CS][June2016][PUP][CatA]"; flow:to_server,established; content: "Referrer"; http_header; content:"&source="; http_uri; content:"uid="; http_uri; distance:0; content:"&uc="; http_uri; distance:0; content:"&ap="; http_uri; distance:0; classtype:trojan-activity; sid:123456789; rev:1;) Using Bro (awk -F "\t" '$11 ~ /uid=.*uc=.*source=.*ap=/') , I found the following variants that should also be caught by the above rule: http://home.searchlf.com/?uc=20151220&ap=appfocus5&source=search&uid=58c19fd5-42f6-44dc-86ae-5258318d6401&keyword=gmail&i_id=email_appfocus5_1.4&page=newtab& http://search.searchfmn.com/?uc=20160225&ap=appfocus29&source=4692-ywwyduoT388M1uuMKQuC&uid=b6b588df-dc1b-4d06-8459-d92174a7a561&i_id=maps_appfocus29_1.8&page=newtab& Carraig Stanwyck USDA | OCIO | ASOC @C4RR41G This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately.
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- InstallFast Malware/Adware Variants Stanwyck, Carraig - ASOC - Kansas City, MO (Jun 13)
- Re: [Emerging-Sigs] InstallFast Malware/Adware Variants Will Metcalf (Jun 13)