[Snort-sigs] Quick Android/Fakelash.A!tr.spy sig

James Lay jlay at ...3266...
Fri Sep 21 17:14:38 EDT 2012


Maybe add the /data.php?action=add?  Not sure...sanity checked, but not 
much more as I don't have pcaps.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
Android/Fakelash.A!tr.spy trojan command and control channel traffic"; 
flow:to_server,established; content:"=hithere"; content:"=1234"; 
fast_pattern:only; http_uri; metadata:policy security-ips drop, service 
http; 
reference:url,http://blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; 
classtype:trojan-activity; sid:10000028; rev:1;)

As always, comments and improvements welcome.  Thanks all!

James




More information about the Snort-sigs mailing list