[Snort-sigs] Yesadvertising Malware sigs

Matthew Jonkman matt at ...2436...
Tue Jun 29 18:51:44 EDT 2004


 From James Ashton, slightly modified. Re the isc alerts up now.

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yesadvertising 
Banking Spyware RETRIEVE"; uricontent:"/img1big.gif"; nocase; 
reference:url,isc.sans.org/presentations/banking_malware.pdf; 
sid:2000336; rev:1; )

alert tcp $HOME_NET any -> any 80 (msg:"BLEEDING-EDGE Yesadvertising 
Banking Spyware INFORMATION SUBMIT"; uricontent:"/cgi-bin/yes.pl"; 
nocase; reference:url,isc.sans.org/presentations/banking_malware.pdf; 
sid:2000337; rev:1 )

They're on bleeding now.

Matt




More information about the Snort-sigs mailing list