[Snort-sigs] Openadvertising.com Malware Campaign malicious jar sigs

James Lay jlay at ...3266...
Tue Jun 18 20:19:13 EDT 2013


On Jun 18, 2013, at 5:31 PM, lists at ...3397... wrote:

> On 06/18/2013 06:06 PM, Joel Esler wrote:
>> Thanks James!
> 
> I've got hits and these aren't what I'm seeing, I was seeing 16-byte by 16-byte
> to these; James good sig but I see your &k=&h= concatenated together without the
> 16-byte values.  As always James, you rock, despite what Joel says about you :)
> 
> hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57
> 
> hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57
> 
> hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57
> 
> hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96
> 
> hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89
> 
> hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650
> 
> Recommending:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign
> URI request"; flow:to_server,established;
> content:"/.cache/?f="; http_uri; fast_pattern;
> pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U";
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html;
> classtype:trojan-activity; sid:10000079; rev:1;
> 
> These will catch all variants with no FPs, I ran 05/01/2013+ with the below Hive
> query:
> 
> SELECT distinct
> date_time,user_name,client_ip,http_status,block_reason,url_body_size,media_type,dest_ip,url,url_referrer,user_agent
> FROM webwasher_full where day>='2013-05-01' and http_status <> '407'
> and url rlike 'http:\\/\\/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$'
> 
> Cheers,
> Nathan

Nice work Nathan thanks…and LOL as well ;)

James



More information about the Snort-sigs mailing list