[Snort-sigs] BLEEDING-EDGE IE spyware downloader get.php

Matthew Jonkman matt at ...2436...
Fri Jul 16 07:04:27 EDT 2004


Joseph submitted this sig yesterday. It's catching things for us pretty 
well. But Joseph, I have a question on it.

The sig is getting a number of stations doing this:

000 : 48 54 54 50 2F 31 2E 31 20 32 30 30 20 48 54 54   HTTP/1.1 200 HTT
010 : 50 0D 0A 43 6F 6E 74 65 6E 74 2D 54 79 70 65 3A   P..Content-Type:
020 : 20 74 65 78 74 2F 68 74 6D 6C 0D 0A 58 2D 50 6F    text/html..X-Po
030 : 77 65 72 65 64 2D 42 79 3A 20 50 48 50 2F 34 2E   wered-By: PHP/4.
040 : 33 2E 33 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A   3.3..Connection:
050 : 20 63 6C 6F 73 65 0D 0A 0D 0A 66 75 6E 63 74 69    close....functi
060 : 6F 6E 20 77 72 69 74 65 5F 73 63 72 69 70 74 28   on write_script(
070 : 73 75 72 76 65 79 5F 6E 75 6D 2C 73 69 74 65 2C   survey_num,site,
080 : 63 6F 64 65 2C 72 61 6E 64 6E 75 6D 29 20 7B 0A   code,randnum) {.
090 : 73 74 72 3D 22 3C 73 63 72 69 70 74 20 6C 61 6E   str="<script lan
0a0 : 67 75 61 67 65 3D 5C 22 4A 61 76 61 53 63 72 69   guage=\"JavaScri
0b0 : 70 74 31 2E 31 5C 22 20 73 72 63 3D 68 74 74 70   pt1.1\" src=http
0c0 : 3A 2F 2F 61 6D 63 68 2E 71 75 65 73 74 69 6F 6E   ://amch.question
0d0 : 6D 61 72 6B 65 74 2E 63 6F 6D 2F 61 64 73 63 2F   market.com/adsc/
0e0 : 64 22 2B 73 75 72 76 65 79 5F 6E 75 6D 2B 22 2F   d"+survey_num+"/
0f0 : 22 2B 73 69 74 65 2B 22 2F 22 2B 63 6F 64 65 2B   "+site+"/"+code+
100 : 22 2F 64 65 63 69 64 65 2E 70 68 70 3F 73 75 72   "/decide.php?sur
110 : 76 65 79 5F 6E 75 6D 3D 22 2B 73 75 72 76 65 79   vey_num="+survey
120 : 5F 6E 75 6D 2B 22 26 73 69 74 65 3D               _num+"&site=


I am still getting people to the stations to see if they're spyware 
infected. This is starting to look just like the client is hitting 
another url to report it went somewhere. The company noted there 
Questionmarket.com) is an ad tracking firm called Dynamic Logic.

So my question Joseph is did you write this rule off of an 
infection-type of spyware, or is it just going to be hitting on tracking 
requests without software installed?

Thanks

Matt




More information about the Snort-sigs mailing list