[Snort-sigs] Openadvertising.com Malware Campaign malicious jar sigs

lists at ...3397... lists at ...3397...
Tue Jun 18 19:31:29 EDT 2013


On 06/18/2013 06:06 PM, Joel Esler wrote:
> Thanks James!

I've got hits and these aren't what I'm seeing, I was seeing 16-byte by 16-byte
to these; James good sig but I see your &k=&h= concatenated together without the
16-byte values.  As always James, you rock, despite what Joel says about you :)

hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57

hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57

hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57

hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96

hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89

hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650

Recommending:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign
URI request"; flow:to_server,established;
content:"/.cache/?f="; http_uri; fast_pattern;
pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U";
metadata:policy balanced-ips drop, policy security-ips drop, service http;
reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html;
classtype:trojan-activity; sid:10000079; rev:1;

These will catch all variants with no FPs, I ran 05/01/2013+ with the below Hive
query:

SELECT distinct
date_time,user_name,client_ip,http_status,block_reason,url_body_size,media_type,dest_ip,url,url_referrer,user_agent
FROM webwasher_full where day>='2013-05-01' and http_status <> '407'
and url rlike 'http:\\/\\/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$'

Cheers,
Nathan




More information about the Snort-sigs mailing list