[Snort-sigs] Quick Android/Fakelash.A!tr.spy sig

Joel Esler jesler at ...435...
Fri Sep 21 19:51:38 EDT 2012


Thanks James. I'll see if we have pcaps. 

--
Joel Esler

On Sep 21, 2012, at 5:14 PM, James Lay <jlay at ...3266...> wrote:

> Maybe add the /data.php?action=add?  Not sure...sanity checked, but not 
> much more as I don't have pcaps.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Android/Fakelash.A!tr.spy trojan command and control channel traffic"; 
> flow:to_server,established; content:"=hithere"; content:"=1234"; 
> fast_pattern:only; http_uri; metadata:policy security-ips drop, service 
> http; 
> reference:url,http://blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; 
> classtype:trojan-activity; sid:10000028; rev:1;)
> 
> As always, comments and improvements welcome.  Thanks all!
> 
> James
> 
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list