[Snort-sigs] BHv2 Mailing Campaign Gate natpay.html

Community Proposed lists at ...3397...
Thu Jun 6 12:31:28 EDT 2013


Another BHv2 mailing campaign, all the gates at the moment are pointing to
hxxp://usforclosedhomes.net/news/walls_autumns-serial.php which is /news/ BHv2
and should be covered with existing sigs.  Message Subjects start with the text
"Transmission Confirmation ~"

We've got some good IP candidates associated with malware.

 ;; ANSWER SECTION:
 usforclosedhomes.net.   16      IN      A       46.18.160.86
 usforclosedhomes.net.   16      IN      A       93.89.235.13
 usforclosedhomes.net.   16      IN      A       112.170.169.56
 usforclosedhomes.net.   16      IN      A       41.89.6.179

Snort Sig:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"VRT COMMUNITY
BHv2 EK Initial Gate from NatPay Mailing Campaign";
flow:established,to_server; content:"/natpay.html?";
http_uri; classtype:trojan-activity; sid:x; rev:1;)

Ran the above through my Hadoop/Hive cluster for 04/01/2013 with no FPs.

Observed Gates:

212.204.194.200	hxxp://cocomobeachclub.nl/natpay.html?refid=I7FO3W39Z-JQSCF43T
212.204.194.200	hxxp://cocomobeachclub.nl/natpay.html?subj=Customer%20Report%20Question~FNQ0YNJ1~21431376
213.186.33.19	hxxp://edpp-peinture.com/natpay.html?message=Customer%20Report%20Question~PW64N6Z9~54557847
213.186.33.19	hxxp://edpp-peinture.com/natpay.html?ref=Z0J1HX60D335_ASJ2ZE6E
80.82.120.30	hxxp://grace-and-glory.com/natpay.html?action=contact&id=B4GCOX56JL_F9MIG0R3
80.82.120.30	hxxp://grace-and-glory.com/natpay.html?subject=Customer%20Report%20Question~F9MIG0R3~32549389
89.45.166.170	hxxp://hotelplutitor-deltadunarii.ro/natpay.html?ref_id=Y3CKJMYI3_B8FY111N
89.45.166.170	hxxp://hotelplutitor-deltadunarii.ro/natpay.html?subj=Customer%20Report%20Question~WOBLRJ4P~37382413
91.206.201.249	hxxp://kurortnoe.net/natpay.html?message=Customer%20Report%20Question~0P7HPPSJ~51037958
82.165.107.162	hxxp://rockundpop.info/natpay.html?contact_us=WR9EZZJ4B9_EM92D6KW
103.4.217.233	hxxp://trainingsrt.com/natpay.html?msg=Customer%20Report%20Question~GPBMQB4T~20508276
81.177.140.12	hxxp://viadolorosa.ru/natpay.html?contact=6HL38VT050_E861QJ73
81.177.140.12	hxxp://viadolorosa.ru/natpay.html?subj=Customer%20Report%20Question~PQW5CQH4~54668962
184.106.55.29	hxxp://www.mobilis.us.com/natpay.html?action=contact&id=L22OM528G8_K4M89CEY
184.106.55.29	hxxp://www.mobilis.us.com/natpay.html?contact_us=TVSXRCO7HG_4VKLH1KB
184.106.55.29	hxxp://www.mobilis.us.com/natpay.html?msg=Customer%20Report%20Question~4VKLH1KB~33052404
184.106.55.29	hxxp://www.mobilis.us.com/natpay.html?msg=Customer%20Report%20Question~K4M89CEY~24368422
184.106.55.29	hxxp://www.mobilis.us.com/natpay.html?ref=6YBG8EV5&id=4VKLH1KB
89.42.216.40	hxxp://www.pelisem.ro/natpay.html?ref=8BAF5AVDE_6LH0YGK0
79.172.241.39	hxxp://zpt.hu/natpay.html?ref_id=3U25K06E_D9ILSMP6





More information about the Snort-sigs mailing list