Re: [Emerging-Sigs] InstallFast Malware/Adware Variants

[Will Metcalf <wmetcalf () emergingthreatspro com>]

Awesome thanks! We will get this into QA.

Regards,

Will

On Mon, Jun 13, 2016 at 3:57 PM, Stanwyck, Carraig - ASOC - Kansas City, MO
<Carraig.Stanwyck () asoc usda gov> wrote:

> Good Evening,
>
>
>
> *Example download link: **(submitted to Hybrid Analysis, 75/100 malicious
> -*
> https://www.hybrid-analysis.com/sample/7a6c52c189e19f6888465cdddb8a6efdda2c5fdfa0648c65e50626843c745e6f?environmentId=100
> *)*
>
> 2016/6/12 16:11:10          123.45.67.8         107.22.240.253
> 80           GET        searchinfast.com
> /Impression/Index/lp_download_click?spsource=googledisplay&user_id=f0e799a2-6346-45f4-8abb-b4de28efb7fc&subid2=&traffic_source=appfocus5&subid=undefined,95693094&referrer=
> http://installfaster.com/?utm_source=adwords&utm_campaign=372740691&utm_term=download&mt=&network=d&kid=kwd-11592331&aid=23526960531&lpurl=http://installfaster.com
>
> http://installfaster.com/?utm_source=adwords&utm_campaign=372740691&utm_term=download&mt=&network=d&kid=kwd-11592331&aid=23526960531&lpurl=http://installfaster.com
> Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like
> Gecko           11           200         Success                 text/plain
>
> *NSISDL/1.2 (Mozilla) post-install callback without opening a browser (NOT
> caught by current rules related to NSISDL/1.2):*
> 2016/6/12 16:11:25          123.45.67.8         52.2.39.169
> 80           GET        imp.searchinfast.com
> /impression.do?&user_id=f0e799a2-6346-45f4-8abb-b4de28efb7fc&subid=20160612&source=googledisplay&useragent=WindowsNT6.1;Trident/7.0;&adprovider=appfocus5&implementation_id=dm_appfocus5&event=ex_install_start
> -              NSISDL/1.2 (Mozilla)       109         200
> OK          image/png
>
> *Example post-install traffic referrer*:
>
>
> http://search.searchinfast.com/?uid=f0e799a2-6346-45f4-8abb-b4de28efb7fc&uc=20160612&source=googledisplay&ap=appfocus5&i_id=dm_appfocus5
>
>
>
> *As a result, I created the following rule*:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom -
> InstallFaster Adware Variants [CS][June2016][PUP][CatA]";
> flow:to_server,established; content: "Referrer"; http_header;
> content:"&source="; http_uri; content:"uid="; http_uri; distance:0;
> content:"&uc="; http_uri; distance:0; content:"&ap="; http_uri; distance:0;
> classtype:trojan-activity; sid:123456789; rev:1;)
>
>
>
> *Using Bro (awk -F "\t" '$11 ~ /uid=.*uc=.*source=.*ap=/') , I found the
> following variants that should also be caught by the above rule:*
>
>
> http://home.searchlf.com/?uc=20151220&ap=appfocus5&source=search&uid=58c19fd5-42f6-44dc-86ae-5258318d6401&keyword=gmail&i_id=email_appfocus5_1.4&page=newtab&;
>
>
> http://search.searchfmn.com/?uc=20160225&ap=appfocus29&source=4692-ywwyduoT388M1uuMKQuC&uid=b6b588df-dc1b-4d06-8459-d92174a7a561&i_id=maps_appfocus29_1.8&page=newtab&;
>
>
>
> *Carraig Stanwyck*
>
> USDA | OCIO | ASOC
>
> @C4RR41G
>
>
>
>
>
>
> This electronic message contains information generated by the USDA solely
> for the intended recipients. Any unauthorized interception of this message
> or the use or disclosure of the information it contains may violate the law
> and subject the violator to civil or criminal penalties. If you believe you
> have received this message in error, please notify the sender and delete
> the email immediately.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs () lists emergingthreats net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!