[Snort-sigs] Openadvertising.com Malware Campaign malicious jar sigs

James Lay jlay at ...3266...
Wed Jun 19 11:24:56 EDT 2013


On 2013-06-19 08:11, Joel Esler wrote:
> On Jun 18, 2013, at 7:31 PM, lists at ...3397... wrote:
>
>> 
>> hxxp://www.msas.ch/images/_notes/.cache/?f=site.jar&k=9899151747059318&h=0504dc8510fdce57
>
> This is the Jar exploit (more info below)
>
>>
>> 
>> hxxp://www.msas.ch/images/_notes/.cache/?f=sm_main.mp3&k=9899151747059329&h=0504dc8510fdce57
>
> This is the zeroaccess download
>
>>
>> 
>> hxxp://www.communicatemagazine.co.uk/plugins/editors/tinymce/jscripts/tiny_mce/plugins/media/images/.cache/?f=site.jar&k=9465364283059318&h=0504dc8510fdce57
>>
>> 
>> hxxp://www.la-diag.com/forum.bad/images/.cache/?f=site.jar&k=7484643054057816&h=a8946c52c90a7e96
>>
>> 
>> hxxp://www.arielentertainment.com/images/new_buttons/enter_button/.cache/?f=site.jar&k=6046817725057817&h=a8946c52477b6b89
>>
>> 
>> hxxp://iavisarts.org/include/adodb/.cache/?f=atom.jar&k=9900174397059339&h=0504dc8578794650
>
> More jar exploits, but two different methods, site.jar is
> cve-2013-1493 and atom.jar is cve-2013-2423.
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire


Good info Joel...also show's my bag of fail on my rule ;)  Thanks 
again.

James





More information about the Snort-sigs mailing list