[Snort-sigs] Quick Android/Fakelash.A!tr.spy sig

James Lay jlay at ...3266...
Mon Sep 24 14:12:03 EDT 2012


On Sep 24, 2012, at 11:40 AM, Joel Esler <jesler at ...435...> wrote:

> James,
> 
> It looks like the sections you wrote your sig off of are the text message and the phone number from the phone being sent, this would change every time.  So given the information I have I wrote the following:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; http_uri; nocase; content:"&m="; nocase; http_uri; distance:0; content:"&p="; http_uri; nocase; distance:0; content:"&n="; http_uri; nocase; distance:0; metadata:policy security-ips drop, service http; reference:url,http://blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity;)
> 
> 
> Please let me know how that works out.
> 
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
> 
> On Sep 21, 2012, at 5:14 PM, James Lay <jlay at ...3266...> wrote:
> 

Thanks Joel…leave it to me to focus on the wrong element 8-|  I'll let you know what I see.

James

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20120924/34737d1e/attachment.html>


More information about the Snort-sigs mailing list