[Snort-sigs] Proposed Signatures for Fake Adobe Flash installer

lists at ...3397... lists at ...3397...
Tue Jul 9 12:25:11 EDT 2013


Typo squatting of http://youtbube.com/ HTTP 302s to
hxxp://super-saving.veryfunnycomercials.com/?sid=12015&hid=dlhtflthdldhlvhf and
attempts to install some badness in the form of
http://downloads.getsoftfree.com/get/click/aafc1d2b/?uid=KD10I468UB&filename=Flash%20Player%2012

https://www.virustotal.com/en/file/22eb8974f9f5c50902cd2c773cdd95c2de9ace8911ab637cb6de6a1422b08ce6/analysis/1373386716/

Looking at the page body seems we have a very easy kill on this payload:

<!-- STARTALERT -->
<script type="text/javascript">
alert("WARNING! You should update your Flash Player Immediately");	
</script>
<!-- ENDALERT -->

Proposed Signatures:

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
Fake Adobe Flash Player update warning enticing clicks to malware payload";
flow:established,from_server; content:"WARNING|21| You should update your Flash
Player Immediately"; classtype:trojan-activity; sid:x; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
Fake Adobe Flash Player malware binary requested"; flow:established,to_server;
content:"&filename=Flash Player "; http_uri; fast_pattern;
content:".exe"; http_uri; within:8;
classtype:trojan-activity; sid:x; rev:1;)

Cheers,
Nathan




More information about the Snort-sigs mailing list