[Snort-sigs] Openadvertising.com Malware Campaign malicious jar sigs

Joel Esler jesler at ...435...
Wed Jun 19 09:46:13 EDT 2013


All,

I have rules that will ship in the next rule pack for these already written.  I'll add the community tag to them so they go out for free.


On Jun 18, 2013, at 7:31 PM, lists at ...3397... wrote:

> On 06/18/2013 06:06 PM, Joel Esler wrote:
>> Thanks James!
> 
> I've got hits and these aren't what I'm seeing, I was seeing 16-byte by 16-byte
> to these; James good sig but I see your &k=&h= concatenated together without the
> 16-byte values.  As always James, you rock, despite what Joel says about you :)
> 
> hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57
> 
> hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57
> 
> hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57
> 
> hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96
> 
> hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89
> 
> hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650
> 
> Recommending:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign
> URI request"; flow:to_server,established;
> content:"/.cache/?f="; http_uri; fast_pattern;
> pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U";
> metadata:policy balanced-ips drop, policy security-ips drop, service http;
> reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html;
> classtype:trojan-activity; sid:10000079; rev:1;
> 
> These will catch all variants with no FPs, I ran 05/01/2013+ with the below Hive
> query:
> 
> SELECT distinct
> date_time,user_name,client_ip,http_status,block_reason,url_body_size,media_type,dest_ip,url,url_referrer,user_agent
> FROM webwasher_full where day>='2013-05-01' and http_status <> '407'
> and url rlike 'http:\\/\\/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$'
> 
> Cheers,
> Nathan
> 
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Windows:
> 
> Build for Windows Store.
> 
> http://p.sf.net/sfu/windows-dev2dev
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list