[Snort-sigs] TIFF images in MS-Office documents used in targeted attacks

Paul Bottomley Paul.Bottomley at ...3813...
Wed Nov 6 04:54:45 EST 2013


Good write up here:
http://www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets
" Network traffic

Perform HTTP GET requests, some examples are:
    /logitech/rt.php?cn=xx@<username>&str=&file=no 

    /green/srt.php?cn=xx@<username>&str=&file=no

    /funbox/rt.php?cn=<MACHINE_NAME>@<USER>&str=&file=no

    /joy/rt.php?cn=<MACHINE_NAME>@<USER>&str=&file=no

You can look for the pattern "&str=&file=no" in your proxy logs to find infected systems. - See more at: http://www.alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets#sthash.9KXcNyRm.dpuf"

So something like:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Outbound connection related to ms office zero day "; flow:established,to_server; content:"&str=&file=no"; fast_pattern:only; http_uri; reference:url, alienvault.com/open-threat-exchange/blog/microsoft-office-zeroday-used-to-attack-pakistani-targets; priority:1; sid:xxxxxxx; rev:1;)

Maybe you could incorporate some regex...

\/[a-z]{2,3}\.php\?cn\=[a-z@<>]*\&str\=\&file\=no

I've not tested the above...

Paul

-----Original Message-----
From: James Lay [mailto:jlay at ...3266...] 
Sent: 05 November 2013 18:49
To: Snort-sigs
Subject: [Snort-sigs] TIFF images in MS-Office documents used in targeted attacks

Per ISC

TIFF images in MS-Office documents used in targeted attacks
   http://isc.sans.edu/diary.html?n&storyid=16964

Anyone got any pcaps/additional info on this?

James


------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers Accelerate application performance with scalable programming models. Explore techniques for threading, error checking, porting, and tuning. Get the most from the latest Intel processors and coprocessors. See abstracts and register http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from 
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________




More information about the Snort-sigs mailing list