[Snort-sigs] Some adware fun

Matthew Jonkman matt at ...2436...
Sat Jul 24 11:41:02 EDT 2004


isc.org had a good start for an article where they took a vmware 
unpatched windows install and infected it by visiting a couple sites. 
Tracking the installed code looked interesting. I've been meaning to do 
that for a while but never got around to it. That article inspired me to 
make time to do it.

Glad I did, found a ton of stuff and actually had a good time. :) I only 
spent about an hour and got so many easy hits to write rules for. I 
recommend spending a little time with it if you're interested in 
learning what's going on, it's very transparent if you can dump the 
traffic on a firewall or ids sensor.

Here are the rules I got by just visiting one site. These are just the 
installs of software primarily. All I did was hit the site, I didn't 
click on a single thing. This was with a clean XP install, no patches. 
After I saw the 10th adware program get installed without me touching 
anything I suspended the vmware session to analyze. Later when I have 
more time I'll un-suspend the vmware session and reboot it, then see 
where these start sending data back to.

Some of them are interesting, one even popped up and offered to help me 
remove itself and all the other spyware it had just installed for 29.95. 
That I thought was the ballsiest money-making scheme to date. :)

If you have some time I highly recommend doing this, and send us the 
rules. Spyware is completely out of control, I realize even more than I 
had thought before after this exercise. Everytime I add a new rule to 
ids we catch 20% of the machines we cover out there with it already 
running. And they are grabbing updates and running code at the whim of 
the person running the adware site. If I were looking to build a bot-net 
I'd certainly be targeting the adware servers. Slip my code in and 
infect a few thousand systems in one swipe.

That's what's prompted me to change the classtype of all the malware 
rules on bleedingsnort.com to trojan-activity. That's what it is, they 
install without permission, execute code without approval or permission, 
and report data to unknown destinations without permission. That means 
trojan to me.

Here the first round it. They are all on bleedingsnort.com:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Adtrak.net Tracking Bot Reporting"; 
reference:url,www.adtrak.net; uricontent:"/adlog.php?bannerid="; 
classtype:trojan-activity; sid:2000576; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
MAlware F1Organizer Install Attempt"; reference:url,www.f1organizer.com; 
classtype:trojan-activity; uricontent:"/f1/objects/ezbdlLs.dll"; nocase; 
sid:2000581; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
MAlware F1Organizer Reporting"; reference:url,www.f1organizer.com; 
classtype:trojan-activity; uricontent:"/f1/audit/"; nocase; sid:2000582; 
rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Mindset Interactive Install"; 
reference:url,www.mindsetinteractive.com; uricontent:"/mindset5/data"; 
nocase; sid:2000583; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Mindset Interactive Install"; 
reference:url,www.mindsetinteractive.com; uricontent:"/mindset/data"; 
nocase; sid:2000584; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Popuptraffic.com Bot Reporting"; reference:url,popuptraffic.com; 
uricontent:"/scripts/click.php?hid="; classtype:trojan-activity; 
sid:2000577; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Shop At Home Select.com Install Attempt"; 
reference:url,www.spywareguide.com/product_show.php?id=700; 
reference:url,www.shopathomeselect.com; 
uricontent:"/mindset/bunsetup.cab"; nocase; classtype:trojan-activity; 
sid:2000580; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Malware Shop At Home Select.com Install Download"; 
reference:url,www.spywareguide.com/product_show.php?id=700; 
reference:url,www.shopathomeselect.com; content:"|ab 3b d4 97 d4 a7 b4 
1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 
67 df 65 41|"; classtype:trojan-activity; sid:2000581; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware TopText ILookup Access"; reference:url,www.ezula.com; 
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; 
uricontent:"/MindSet5/install/ezinstall.exe"; nocase; 
classtype:trojan-activity; sid:2000578; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Malware TopText ILookup Installer Download"; 
reference:url,www.ezula.com; 
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; 
content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; 
classtype:trojan-activity; sid:2000579; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Twaintec Download Attempt"; 
reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; 
uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; 
classtype:trojan-activity; sid:3000578; rev:1;)

PLEASE, if you have some time do this exercise for yourself and send us 
rules or packet dumps. There's a lot to learn about what's being 
installed on your net's systems here.

Thanks

Matt




More information about the Snort-sigs mailing list