[Snort-sigs] Proposed Signatures for Fake Adobe Flash installer

lists at ...3397... lists at ...3397...
Tue Jul 9 13:07:39 EDT 2013


Apologies, content:".exe"; http_uri; within:8; needs to be removed in the
signature; when crafting it I misread the URL.

On 07/09/2013 11:25 AM, lists at ...3397... wrote:
> Typo squatting of http://youtbube.com/ HTTP 302s to
> hxxp://super-saving.veryfunnycomercials.com/?sid=12015&hid=dlhtflthdldhlvhf and
> attempts to install some badness in the form of
> http://downloads.getsoftfree.com/get/click/aafc1d2b/?uid=KD10I468UB&filename=Flash%20Player%2012
> 
> https://www.virustotal.com/en/file/22eb8974f9f5c50902cd2c773cdd95c2de9ace8911ab637cb6de6a1422b08ce6/analysis/1373386716/
> 
> Looking at the page body seems we have a very easy kill on this payload:
> 
> <!-- STARTALERT -->
> <script type="text/javascript">
> alert("WARNING! You should update your Flash Player Immediately");	
> </script>
> <!-- ENDALERT -->
> 
> Proposed Signatures:
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"VRT COMMUNITY
> Fake Adobe Flash Player update warning enticing clicks to malware payload";
> flow:established,from_server; content:"WARNING|21| You should update your Flash
> Player Immediately"; classtype:trojan-activity; sid:x; rev:1;)
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
> Fake Adobe Flash Player malware binary requested"; flow:established,to_server;
> content:"&filename=Flash Player "; http_uri; fast_pattern;
> content:".exe"; http_uri; within:8;
> classtype:trojan-activity; sid:x; rev:1;)
> 
> Cheers,
> Nathan
> 




More information about the Snort-sigs mailing list