InstallFast Malware/Adware Variants

["Stanwyck, Carraig - ASOC - Kansas City, MO" <Carraig.Stanwyck () asoc usda gov>]

Good Evening,

Example download link: (submitted to Hybrid Analysis, 75/100 malicious - 
https://www.hybrid-analysis.com/sample/7a6c52c189e19f6888465cdddb8a6efdda2c5fdfa0648c65e50626843c745e6f?environmentId=100)
2016/6/12 16:11:10          123.45.67.8         107.22.240.253  80           GET        searchinfast.com                
/Impression/Index/lp_download_click?spsource=googledisplay&user_id=f0e799a2-6346-45f4-8abb-b4de28efb7fc&subid2=&traffic_source=appfocus5&subid=undefined,95693094&referrer=http://installfaster.com/?utm_source=adwords&utm_campaign=372740691&utm_term=download&mt=&network=d&kid=kwd-11592331&aid=23526960531&lpurl=http://installfaster.com
         
http://installfaster.com/?utm_source=adwords&utm_campaign=372740691&utm_term=download&mt=&network=d&kid=kwd-11592331&aid=23526960531&lpurl=http://installfaster.com
         Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko           11           200         
Success                 text/plain

NSISDL/1.2 (Mozilla) post-install callback without opening a browser (NOT caught by current rules related to 
NSISDL/1.2):
2016/6/12 16:11:25          123.45.67.8         52.2.39.169         80           GET        imp.searchinfast.com    
/impression.do?&user_id=f0e799a2-6346-45f4-8abb-b4de28efb7fc&subid=20160612&source=googledisplay&useragent=WindowsNT6.1;Trident/7.0;&adprovider=appfocus5&implementation_id=dm_appfocus5&event=ex_install_start
                -              NSISDL/1.2 (Mozilla)       109         200         OK          image/png

Example post-install traffic referrer:
http://search.searchinfast.com/?uid=f0e799a2-6346-45f4-8abb-b4de28efb7fc&uc=20160612&source=googledisplay&ap=appfocus5&i_id=dm_appfocus5

As a result, I created the following rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - InstallFaster Adware Variants 
[CS][June2016][PUP][CatA]"; flow:to_server,established; content: "Referrer"; http_header; content:"&source="; http_uri; 
content:"uid="; http_uri; distance:0; content:"&uc="; http_uri; distance:0; content:"&ap="; http_uri; distance:0; 
classtype:trojan-activity; sid:123456789; rev:1;)

Using Bro (awk -F "\t" '$11 ~ /uid=.*uc=.*source=.*ap=/') , I found the following variants that should also be caught 
by the above rule:
http://home.searchlf.com/?uc=20151220&ap=appfocus5&source=search&uid=58c19fd5-42f6-44dc-86ae-5258318d6401&keyword=gmail&i_id=email_appfocus5_1.4&page=newtab&;
http://search.searchfmn.com/?uc=20160225&ap=appfocus29&source=4692-ywwyduoT388M1uuMKQuC&uid=b6b588df-dc1b-4d06-8459-d92174a7a561&i_id=maps_appfocus29_1.8&page=newtab&;

Carraig Stanwyck
USDA | OCIO | ASOC
@C4RR41G





This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized 
interception of this message or the use or disclosure of the information it contains may violate the law and subject 
the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the 
sender and delete the email immediately.

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!