[Snort-sigs] This is familer

James Lay jlay at ...3266...
Fri May 17 17:14:48 EDT 2013


Yay..just like that one --c32 malware that kept popping up everywhere 
months ago, comes ded509 (google that..it's a hoot):

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"MALWARE-OTHER Compromised Website response - leads to Exploit 
Kit"; flow:established,to_client; file_data; content:"<!--ded509-->"; 
distance:0; content:"<!--/ded509-->"; distance:0; metadata:policy 
balanced-ips drop, policy security-ips drop, ruleset community, service 
http; 
reference:url,http://www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; 
classtype:trojan-activity; sid:10000063; rev:1;)

Currently being served at:

hxxp://tascq.dreamhosters.com/owner.html

Cleverly disguised as a "spam" email (something about satisfying 
lades).  The jsunpack reference is a different one, so eh...it's spotty 
out in the wild I guess.  Enjoy on a Friday!

James




More information about the Snort-sigs mailing list