[Snort-sigs] This is familer

Joel Esler jesler at ...435...
Sun May 19 13:11:07 EDT 2013


Thanks James.

On May 17, 2013, at 5:14 PM, James Lay <jlay at ...3266...> wrote:

> Yay..just like that one --c32 malware that kept popping up everywhere 
> months ago, comes ded509 (google that..it's a hoot):
> 
> alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
> (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit 
> Kit"; flow:established,to_client; file_data; content:"<!--ded509-->"; 
> distance:0; content:"<!--/ded509-->"; distance:0; metadata:policy 
> balanced-ips drop, policy security-ips drop, ruleset community, service 
> http; 
> reference:url,http://www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; 
> classtype:trojan-activity; sid:10000063; rev:1;)
> 
> Currently being served at:
> 
> hxxp://tascq.dreamhosters.com/owner.html
> 
> Cleverly disguised as a "spam" email (something about satisfying 
> lades).  The jsunpack reference is a different one, so eh...it's spotty 
> out in the wild I guess.  Enjoy on a Friday!
> 
> James
> 
> ------------------------------------------------------------------------------
> AlienVault Unified Security Management (USM) platform delivers complete
> security visibility with the essential security capabilities. Easily and
> efficiently configure, manage, and operate all of your security controls
> from a single console and one unified framework. Download a free trial.
> http://p.sf.net/sfu/alienvault_d2d
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list