[Snort-sigs] New Malware/Spyware rules

Matthew Jonkman matt at ...2436...
Sun Jul 25 14:37:13 EDT 2004


Here's the load of malware rules for today. It's absolutely shocking 
what will happen if you browse with IE. Many of these came in on a 
patched version, many more unpatched. And there are exploits as we all 
know that still exist. I didn't spend any time finding the method each 
used to install themselves, that's a whole other investigation. You 
could write a whole book of whitepapers on this subject alone.

I thought I understood some of the extent of adware and such, but I 
couldn't even see the tip of the iceberg. Literally.

But these rules are a good start. They're all in the bleedingsnort.com 
ruleset. There will be many more, and I know several others out there 
are doing the same exercise with a clean vmware install, we'll get their 
rules up as soon as they come in. If you're looking for new places to 
get infected from hit a few of the spyware cleaning sites, they list the 
major perpetrators of this crap. Just hit their site and you'll be on 
your way. NOTE: Several of their sites give you a TOTALLY different page 
if you hit it in a non-ie browser. ie, the page you get in mozilla is a 
"here's who our corporation is" professional site. In IE you get a sales 
page chuck full of popups and an autoinstall of the bad stuff. I thought 
that quite interesting.

And as always PLEASE send back tips on tuning these. These were put 
together in a bit of a hurry. Whatever we can do to keep them generic 
enough to last a while will help. I'm sure most of these rules will have 
a shelf life of a few months before the spyware changes.

Summary of the rules added for now, many more coming:

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Adtrak.net Tracking Bot Reporting"; 
reference:url,www.adtrak.net; uricontent:"/adlog.php?bannerid="; 
classtype:trojan-activity; sid:2000576; rev:2;)

#Modified and added to by Matt Jonkman (Original author missing)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
MALWARE Altnet PeerPoints Manager Start"; uricontent:"/pm/start.asp"; 
nocase; classtype:trojan-activity; sid:2000906; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
MALWARE Altnet PeerPoints Manager Data Submission"; 
uricontent:"/backoffice.net/stats/Add.aspx"; nocase; 
classtype:trojan-activity; sid:2000598; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
MALWARE Altnet PeerPoints Manager Settings Download"; 
uricontent:"/pointsmanager/seettings.cab?"; nocase; 
classtype:trojan-activity; sid:2000907; rev:1;)

#Submitted by Matt Jonkman
# As yet unidentified agent, but here's how it came in
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
MAlware Amex.Ipsrime.com Unknown Malware Download"; 
classtype:trojan-activity; reference:url,amex.isprime.com; 
reference:url,www.isprime.com; uricontent:"/bpc/"; content:".zip"; 
sid:2000904; rev:1;)

# Category for bad things we can't put a name on
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Unknown Spyware Data Submission 1"; classtype:trojan-activity; 
uricontent:"/cgi/linkconsumer.pl?cluid="; sid:2000591; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Avres Agent Receiving Instructions"; classtype:trojan-activity; 
reference:url,www.avres.net; reference:url,ar.avres.net/ie/updatenew/; 
uricontent:"/ie/updatenew/"; content:"CONFIG"; nocase; sid:2000903; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
MAlware F1Organizer Install Attempt"; reference:url,www.f1organizer.com; 
classtype:trojan-activity; uricontent:"/f1/objects/ezbdlLs.dll"; nocase; 
sid:2000585; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
MAlware F1Organizer Reporting"; reference:url,www.f1organizer.com; 
classtype:trojan-activity; uricontent:"/f1/audit/"; nocase; sid:2000582; 
rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $external_net $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware FlashPoint Agent Retrieving New Code"; 
classtype:trojan-activity; 
reference:url,simplythebest.net/info/spyware/flashtrack_spyware.html; 
reference:url,www.flashpoint.bm; uricontent:"/ftxmon.php?"; sid:2000905; 
rev:1; )
alert tcp $HOME_NET any -> $external_net $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware FlashTrack Agent Retrieving New App Code"; 
classtype:trojan-activity; 
reference:url,simplythebest.net/info/spyware/flashtrack_spyware.html; 
reference:url,www.flashpoint.bm; uricontent:"/apps/r.exe"; sid:2000905; 
rev:1; )

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Fun Web Products Install"; classtype:trojan-activity; 
reference:url,www.funwebproducts.com; 
uricontent:"/install_ie.jsp?product="; sid:2000599; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Hotbar Install"; reference:url,www.hotbar.com; 
reference:url,www.simplythebest.net/info/spyware/hotbar_spyware.html; 
classtype:trojan-activity; 
uricontent:"/install/startInstallprocess.asp?Defau"; sid:2000920; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Hotbar Install"; reference:url,www.hotbar.com; 
reference:url,www.simplythebest.net/info/spyware/hotbar_spyware.html; 
classtype:trojan-activity; uricontent:"/install/process/upsale/hotbar"; 
sid:2000921; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Hotbar Install"; reference:url,www.hotbar.com; 
reference:url,www.simplythebest.net/info/spyware/hotbar_spyware.html; 
classtype:trojan-activity; uricontent:"/installs/hotbar/programs/"; 
sid:2000922; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Hotbar Agent Reporting Information"; 
reference:url,www.hotbar.com; 
reference:url,www.simplythebest.net/info/spyware/hotbar_spyware.html; 
classtype:trojan-activity; content:"POST"; nocase; 
uricontent:"/reports/hotbar/"; sid:2000923; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Hotbar Agent Upgrading"; reference:url,www.hotbar.com; 
reference:url,www.simplythebest.net/info/spyware/hotbar_spyware.html; 
classtype:trojan-activity; uricontent:"/upgrades/hotbar/"; nocase; 
sid:2000924; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Hotbar Agent Activity"; reference:url,www.hotbar.com; 
reference:url,www.simplythebest.net/info/spyware/hotbar_spyware.html; 
classtype:trojan-activity; uricontent:"/dynamic/hotbar/"; nocase; 
sid:2000924; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Hotbar Agent Partner Checkin"; reference:url,www.hotbar.com; 
reference:url,www.simplythebest.net/info/spyware/hotbar_spyware.html; 
classtype:trojan-activity; uricontent:"/partners/"; nocase; 
uricontent:"partners.xip"; nocase; sid:2000925; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware ISearchTech.com XXXPornToolbar Install"; 
classtype:trojan-activity; reference:url,www.isearchtech.com; 
reference:url,www.simplythebest.net/info/spyware/istbar_spyware.html; 
uricontent:"/ist/softwares/v"; nocase; sid:2000926; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware ISearchTech.com XXXPornToolbar Reporting"; 
classtype:trojan-activity; reference:url,www.isearchtech.com; 
reference:url,www.simplythebest.net/info/spyware/istbar_spyware.html; 
uricontent:"/ist/scripts/log_downloads.php"; nocase; sid:2000927; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware ISearchTech.com XXXPornToolbar Activity"; 
classtype:trojan-activity; reference:url,www.isearchtech.com; 
reference:url,www.simplythebest.net/info/spyware/istbar_spyware.html; 
uricontent:"/ist/scripts/"; nocase; sid:2000928; rev:1;)

#Submitted by Matt Jonkman
alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE 
Malware JoltID Agent Probing or Announcing UDP"; 
classtype:trojan-activity; reference:url,www.joltid.com; 
reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; 
sid:2000900; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 3531 (msg:"BLEEDING-EDGE 
Malware JoltID Agent Communicating TCP"; classtype:trojan-activity; 
reference:url,www.joltid.com; 
reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; 
flow:to_server,established; sid:2000901; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware MarketScore.com Spyware Configuration Access"; 
classtype:trojan-activity; reference:url,www.marketscore.com; 
reference:url,www.spysweeper.com/remove-marketscore.html; 
uricontent:"/oss/remoteconfig.asp"; sid:2000902; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Mindset Interactive Install"; classtype:trojan-activity; 
reference:url,www.mindsetinteractive.com; uricontent:"/mindset5/data"; 
nocase; sid:2000583; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Mindset Interactive Install"; classtype:trojan-activity; 
reference:url,www.mindsetinteractive.com; uricontent:"/mindset/data"; 
nocase; sid:2000584; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Mindset Interactive Ad Retrieval"; classtype:trojan-activity; 
reference:url,www.mindsetinteractive.com; uricontent:"/mindset5"; 
nocase; sid:2000594; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware MyWebSearch Toolbar Receiving Configuration"; 
classtype:trojan-activity; uricontent:"/myspeedbarcfg2.jsp?s="; 
sid:2000600; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Popuptraffic.com Bot Reporting"; reference:url,popuptraffic.com; 
uricontent:"/scripts/click.php?hid="; classtype:trojan-activity; 
sid:2000577; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Salongas Infetcion"; classtype:trojan-activity; 
uricontent:"/sp.htm?id="; sid:2000601; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Shop At Home Select.com Install Attempt"; 
reference:url,www.spywareguide.com/product_show.php?id=700; 
reference:url,www.shopathomeselect.com; 
uricontent:"/mindset/bunsetup.cab"; nocase; classtype:trojan-activity; 
sid:2000580; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Malware Shop At Home Select.com Install Download"; 
reference:url,www.spywareguide.com/product_show.php?id=700; 
reference:url,www.shopathomeselect.com; content:"|ab 3b d4 97 d4 a7 b4 
1d da 6e 6d 0f f4 aa 4f|"; content:"|46 b3 3b 8b 38 cc 2c 2a a4 c3 07 67 
67 df 65 41|"; classtype:trojan-activity; sid:2000581; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware SpywareLabs VirtualBouncer Seeking Instructions"; 
classtype:trojan-activity; pcre:"m/instructions\/(\d\d).xml/"; 
sid:2000587; rev:3;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware TopMoxie Reporting Data to External Host"; 
classtype:trojan-activity; reference:url,www.topmoxie.com; content:"POST 
/downloads/record_download.asp"; sid:2000588; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware TopMoxie Retrieving Data"; classtype:trojan-activity; 
reference:url,www.topmoxie.com; 
uricontent:"/external/builds/downloads2/"; nocase; sid:2000589; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware TopMoxie Retrieving Data"; classtype:trojan-activity; 
reference:url,www.topmoxie.com; uricontent:"/external/builds/common/"; 
nocase; sid:2000590; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware TopText ILookup Access"; reference:url,www.ezula.com; 
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; 
uricontent:"/MindSet5/install/ezinstall.exe"; nocase; 
classtype:trojan-activity; sid:2000578; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE 
Malware TopText ILookup Installer Download"; 
reference:url,www.ezula.com; 
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; 
content:"|65 5a 75 6c 61 20 49 6e 73 74 61 6c 6c 61 74 69 6f 6e 00 49|"; 
classtype:trojan-activity; sid:2000579; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Ezula Related Calling Home"; reference:url,www.ezula.com; 
reference:url,www.spyany.com/program/article_spw_rm_eZuLa.html; 
content:"User-Agent\: mez"; nocase; classtype:trojan-activity; 
sid:2000586; rev:2;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Twaintec Download Attempt"; 
reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; 
uricontent:"/downloads/cabs/TWTDLL/twaintec.cab"; nocase; 
classtype:trojan-activity; sid:3000578; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware Twaintec Ad Retrieval"; 
reference:url,www.pestpatrol.com/PestInfo/t/twain-tech.asp; 
uricontent:"/twain/servlet/Twain?adcontext="; nocase; 
classtype:trojan-activity; sid:3000592; rev:1;)

#Submitted by Matt Jonkman
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com App and Search Bar Install"; 
classtype:trojan-activity;  reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/vsn/ISA/save"; nocase; sid:2000908; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com App and Search Bar Install"; 
classtype:trojan-activity; reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/Appinstall?app=VVSN"; nocase; sid:2000909; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com Clock Sync App Checkin"; 
classtype:trojan-activity; reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/heartbeat?program=clock"; nocase; sid:2000910; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com Weather App Checkin"; classtype:trojan-activity; 
reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/heartbeat?program=weather"; nocase; sid:2000911; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com Clock Sync App Checkin"; 
classtype:trojan-activity; reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/clock?id="; nocase; sid:2000912; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com Clock Sync App Checkin"; 
classtype:trojan-activity; reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/clockDB"; nocase; sid:2000913; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com Weather App Checkin"; classtype:trojan-activity; 
reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/weatherDB"; nocase; sid:2000914; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com Weather App Checkin"; classtype:trojan-activity; 
reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/weather?id="; nocase; sid:2000915; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com WhenUSave App Checkin"; 
classtype:trojan-activity; reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/heartbeat?program=whenusave"; nocase; sid:2000916; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com WhenUSave Data Retrieval"; 
classtype:trojan-activity; reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/OffersDataGZ?update="; nocase; sid:2000917; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com Desktop Bar Install"; classtype:trojan-activity; 
reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/Appinstall?app=desktop"; nocase; sid:2000918; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE 
Malware WhenUClick.com WhenUSave Data Retrieval"; 
classtype:trojan-activity; reference:url,www.whenusearch.com; 
reference:url,www.kephyr.com/spywarescanner/library/whenusearch/index.phtml; 
uricontent:"/SearchDB?update="; nocase; sid:2000919; rev:1;)





More information about the Snort-sigs mailing list