[Snort-sigs] Openadvertising.com Malware Campaign malicious jar sigs

Joel Esler jesler at ...435...
Wed Jun 19 09:57:36 EDT 2013


BTW -- sig 26653 also catches this.


On Jun 19, 2013, at 9:46 AM, Joel Esler <jesler at ...435...> wrote:

> All,
> 
> I have rules that will ship in the next rule pack for these already written.  I'll add the community tag to them so they go out for free.
> 
> 
> On Jun 18, 2013, at 7:31 PM, lists at ...3397... wrote:
> 
>> On 06/18/2013 06:06 PM, Joel Esler wrote:
>>> Thanks James!
>> 
>> I've got hits and these aren't what I'm seeing, I was seeing 16-byte by 16-byte
>> to these; James good sig but I see your &k=&h= concatenated together without the
>> 16-byte values.  As always James, you rock, despite what Joel says about you :)
>> 
>> hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57
>> 
>> hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57
>> 
>> hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57
>> 
>> hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96
>> 
>> hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89
>> 
>> hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650
>> 
>> Recommending:
>> 
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"INDICATOR-COMPROMSED openxadvertising.com Malvertising Campaign
>> URI request"; flow:to_server,established;
>> content:"/.cache/?f="; http_uri; fast_pattern;
>> pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U";
>> metadata:policy balanced-ips drop, policy security-ips drop, service http;
>> reference:url,http://research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html;
>> classtype:trojan-activity; sid:10000079; rev:1;
>> 
>> These will catch all variants with no FPs, I ran 05/01/2013+ with the below Hive
>> query:
>> 
>> SELECT distinct
>> date_time,user_name,client_ip,http_status,block_reason,url_body_size,media_type,dest_ip,url,url_referrer,user_agent
>> FROM webwasher_full where day>='2013-05-01' and http_status <> '407'
>> and url rlike 'http:\\/\\/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$'
>> 
>> Cheers,
>> Nathan
>> 
>> ------------------------------------------------------------------------------
>> This SF.net email is sponsored by Windows:
>> 
>> Build for Windows Store.
>> 
>> http://p.sf.net/sfu/windows-dev2dev
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130619/c691d6b2/attachment.html>


More information about the Snort-sigs mailing list