[Snort-sigs] Quick Android/Fakelash.A!tr.spy sig

Joel Esler jesler at ...435...
Mon Sep 24 13:40:30 EDT 2012


James,

It looks like the sections you wrote your sig off of are the text message and the phone number from the phone being sent, this would change every time.  So given the information I have I wrote the following:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; http_uri; nocase; content:"&m="; nocase; http_uri; distance:0; content:"&p="; http_uri; nocase; distance:0; content:"&n="; http_uri; nocase; distance:0; metadata:policy security-ips drop, service http; reference:url,http://blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity;)


Please let me know how that works out.

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Sep 21, 2012, at 5:14 PM, James Lay <jlay at ...3266...> wrote:

> Maybe add the /data.php?action=add?  Not sure...sanity checked, but not 
> much more as I don't have pcaps.
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
> Android/Fakelash.A!tr.spy trojan command and control channel traffic"; 
> flow:to_server,established; content:"=hithere"; content:"=1234"; 
> fast_pattern:only; http_uri; metadata:policy security-ips drop, service 
> http; 
> reference:url,http://blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; 
> classtype:trojan-activity; sid:10000028; rev:1;)
> 
> As always, comments and improvements welcome.  Thanks all!
> 
> James
> 
> ------------------------------------------------------------------------------
> Got visibility?
> Most devs has no idea what their production app looks like.
> Find out how fast your code is with AppDynamics Lite.
> http://ad.doubleclick.net/clk;262219671;13503038;y?
> http://info.appdynamics.com/FreeJavaPerformanceDownload.html
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120924/3a8aba6b/attachment.html>


More information about the Snort-sigs mailing list