[Snort-sigs] This is familer
jlay at ...3266...
Fri May 17 17:14:48 EDT 2013
Yay..just like that one --c32 malware that kept popping up everywhere
months ago, comes ded509 (google that..it's a hoot):
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"MALWARE-OTHER Compromised Website response - leads to Exploit
Kit"; flow:established,to_client; file_data; content:"<!--ded509-->";
distance:0; content:"<!--/ded509-->"; distance:0; metadata:policy
balanced-ips drop, policy security-ips drop, ruleset community, service
classtype:trojan-activity; sid:10000063; rev:1;)
Currently being served at:
Cleverly disguised as a "spam" email (something about satisfying
lades). The jsunpack reference is a different one, so eh...it's spotty
out in the wild I guess. Enjoy on a Friday!
More information about the Snort-sigs