[Snort-sigs] New Malware/Spyware rules

Jason Haar Jason.Haar at ...651...
Sun Jul 25 15:59:01 EDT 2004


On Sun, Jul 25, 2004 at 04:36:04PM -0500, Matthew Jonkman wrote:
> Here's the load of malware rules for today. It's absolutely shocking 
> what will happen if you browse with IE. Many of these came in on a 
> patched version, many more unpatched. And there are exploits as we all 
> ...

I haven't looked into these rules in detail, but are you logging
spyware-related events, or are you trying for nice clean rules?

By that I mean that an infected PC can easily "do" 100 different
spyware-related URL calls in one session. Are you trying to log those 100
calls, or just one? I'd say the latter is the best option as otherwise you
are going to have SQL databases/etc full of tens or thousands of entries
against one infected PC, where one would do.

I'm trying to do the same as you, but only recording hits on definitive URLs
- namely the ones involved in their update engines. It's pretty scary that
Spyware has reached such a level of sophistication that they are installed
as services with autoupdate components. Anyway, that can be their downfall
as they are unique URLs that no-one would ever go to other than a Spyware
engine (i.e. low FPs).

Here's the list of "engine updaters" I have

alert tcp $HOME_NET any -> any any (msg:"SPYWARE 180solutions Update Engine";
flow:to_server,established; content:"GET"; depth:3;
content:"Host|3a|";within:300;content:"ping.180solutions.com";within:40;classtype:
policy-violation;
reference:url,www.safer-networking.org/index.php?page=threats&detail=212;sid:3000004;
rev:1;)


alert tcp $HOME_NET any -> any any (msg:"SPYWARE ezula Update Engine";
flow:to_server,established; content:"POST"; depth:4; content:"User-Agent|3a|
mez";nocase; within:200;
content:"Host|3a|";within:300;content:"ezula.com";nocase;within:40;classtype:
policy-violation;
reference:url,www.safer-networking.org/index.php?page=threats&detail=198;sid:3000005;
rev:1;)

alert tcp $HOME_NET any -> any any (msg:"SPYWARE cometsystems Update Engine";
flow:to_server,established; content:"GET /cc/"; depth:8;
content:"Host|3a|";within:300;content:"update.cc.cometsystems.com";nocase;within:40;classtype:
policy-violation;
reference:url,www.pestpatrol.com/PestInfo/c/cometsystems.asp;sid:3000006;
rev:1;)
alert tcp $HOME_NET any -> any any (msg:"SPYWARE keenvalue Update Engine";
flow:to_server,established; content:"|0d0a|Host|3a|
secure.keenvalue.com";content:"|0d0a|Extension|3a|
Remote-Passphrase";within:300;classtype:policy-violation;
reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2003-11-24;sid:3000007;rev:1;)


alert tcp $HOME_NET any -> any any (msg:"SPYWARE 2020search Update Engine";
flow:to_server,established; content:"POST"; depth:4; content:"srng/reg.php
HTTP";within:50;
content:"|0d0a|Host|3a|";content:"2020search.com";within:40;content:"IpAddr=";nocase;within:100;classtype:policy-violation;
reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04;sid:3000008;rev:1;)

alert tcp $HOME_NET any -> any any (msg:"SPYWARE EUniverse/thunderdownloads
Update Engine"; flow:to_server,established;
content:"POST";depth:4;content:"mgmt.svr
HTTP";within:50;content:"|0d0a|Host|3a|
update.thunderdownloads.com";nocase;within:300;classtype:policy-violation;
reference:url,www.pestpatrol.com/pestinfo/e/euniverse.asp;sid:3000009;rev:1;)



-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1




More information about the Snort-sigs mailing list