[Snort-sigs] Malicious UA sig thoughts

lists at ...3397... lists at ...3397...
Tue Sep 18 12:30:17 EDT 2012


On 09/18/12 10:55, James Lay wrote:
> I've been tracking a malicious email campaign that, via email, fires 
> sig 24102.  The email is usually a single image and link pointing to a 
> compromised server.  Once this is clicked a zip file is served 
> (currently INVOICE_FORM.zip); once extracted INVOICE_FORM.exe is 
> created, and once run, injects code into svchost.exe.  The below is a 
> sig to catch the UA on port 84 which it uses in my testing of multiple 
> exe's:

Excellent find, analysis, and write-up James!  I wonder too if there's some
value in some type of signature like:

alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"VRT COMMUNITY POLICY
HTTP User-Agent and Host header seen on port not defined in HTTP_PORTS to
EXTERNAL_NET could be malware"; flow:to_server,established; content:"|0d
0a|User-Agent|3a 20|"; fast_pattern:only; content:"|0d 0a|Host|3a 20|"; nocase;
classtype:policy-violation; sid:x; rev:1;)

Cheers,
Nathan

Thanks,
Nathan




More information about the Snort-sigs mailing list