Snort mailing list archives
Re: [Emerging-Sigs] InstallFast Malware/Adware Variants
From: Will Metcalf <wmetcalf () emergingthreatspro com>
Date: Mon, 13 Jun 2016 16:05:34 -0500
Awesome thanks! We will get this into QA. Regards, Will On Mon, Jun 13, 2016 at 3:57 PM, Stanwyck, Carraig - ASOC - Kansas City, MO <Carraig.Stanwyck () asoc usda gov> wrote:
Good Evening, *Example download link: **(submitted to Hybrid Analysis, 75/100 malicious -* https://www.hybrid-analysis.com/sample/7a6c52c189e19f6888465cdddb8a6efdda2c5fdfa0648c65e50626843c745e6f?environmentId=100 *)* 2016/6/12 16:11:10 123.45.67.8 107.22.240.253 80 GET searchinfast.com /Impression/Index/lp_download_click?spsource=googledisplay&user_id=f0e799a2-6346-45f4-8abb-b4de28efb7fc&subid2=&traffic_source=appfocus5&subid=undefined,95693094&referrer= http://installfaster.com/?utm_source=adwords&utm_campaign=372740691&utm_term=download&mt=&network=d&kid=kwd-11592331&aid=23526960531&lpurl=http://installfaster.com http://installfaster.com/?utm_source=adwords&utm_campaign=372740691&utm_term=download&mt=&network=d&kid=kwd-11592331&aid=23526960531&lpurl=http://installfaster.com Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko 11 200 Success text/plain *NSISDL/1.2 (Mozilla) post-install callback without opening a browser (NOT caught by current rules related to NSISDL/1.2):* 2016/6/12 16:11:25 123.45.67.8 52.2.39.169 80 GET imp.searchinfast.com /impression.do?&user_id=f0e799a2-6346-45f4-8abb-b4de28efb7fc&subid=20160612&source=googledisplay&useragent=WindowsNT6.1;Trident/7.0;&adprovider=appfocus5&implementation_id=dm_appfocus5&event=ex_install_start - NSISDL/1.2 (Mozilla) 109 200 OK image/png *Example post-install traffic referrer*: http://search.searchinfast.com/?uid=f0e799a2-6346-45f4-8abb-b4de28efb7fc&uc=20160612&source=googledisplay&ap=appfocus5&i_id=dm_appfocus5 *As a result, I created the following rule*: alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASOC Custom - InstallFaster Adware Variants [CS][June2016][PUP][CatA]"; flow:to_server,established; content: "Referrer"; http_header; content:"&source="; http_uri; content:"uid="; http_uri; distance:0; content:"&uc="; http_uri; distance:0; content:"&ap="; http_uri; distance:0; classtype:trojan-activity; sid:123456789; rev:1;) *Using Bro (awk -F "\t" '$11 ~ /uid=.*uc=.*source=.*ap=/') , I found the following variants that should also be caught by the above rule:* http://home.searchlf.com/?uc=20151220&ap=appfocus5&source=search&uid=58c19fd5-42f6-44dc-86ae-5258318d6401&keyword=gmail&i_id=email_appfocus5_1.4&page=newtab& http://search.searchfmn.com/?uc=20160225&ap=appfocus29&source=4692-ywwyduoT388M1uuMKQuC&uid=b6b588df-dc1b-4d06-8459-d92174a7a561&i_id=maps_appfocus29_1.8&page=newtab& *Carraig Stanwyck* USDA | OCIO | ASOC @C4RR41G This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- InstallFast Malware/Adware Variants Stanwyck, Carraig - ASOC - Kansas City, MO (Jun 13)
- Re: [Emerging-Sigs] InstallFast Malware/Adware Variants Will Metcalf (Jun 13)