[Snort-sigs] Malicious UA sig thoughts

James Lay jlay at ...3266...
Tue Sep 18 13:09:54 EDT 2012


On 2012-09-18 10:30, lists at ...3397... wrote:
> On 09/18/12 10:55, James Lay wrote:
>> I've been tracking a malicious email campaign that, via email, fires
>> sig 24102.  The email is usually a single image and link pointing to 
>> a
>> compromised server.  Once this is clicked a zip file is served
>> (currently INVOICE_FORM.zip); once extracted INVOICE_FORM.exe is
>> created, and once run, injects code into svchost.exe.  The below is 
>> a
>> sig to catch the UA on port 84 which it uses in my testing of 
>> multiple
>> exe's:
>
> Excellent find, analysis, and write-up James!  I wonder too if 
> there's some
> value in some type of signature like:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"VRT
> COMMUNITY POLICY
> HTTP User-Agent and Host header seen on port not defined in 
> HTTP_PORTS to
> EXTERNAL_NET could be malware"; flow:to_server,established; 
> content:"|0d
> 0a|User-Agent|3a 20|"; fast_pattern:only; content:"|0d 0a|Host|3a
> 20|"; nocase;
> classtype:policy-violation; sid:x; rev:1;)
>
> Cheers,
> Nathan
>
> Thanks,
> Nathan


Thanks Nathan,

I think I'll try and test out your rule...I'll let you know how it 
flies.

James




More information about the Snort-sigs mailing list