[Snort-sigs] Malicious swf sig

James Lay jlay at ...3266...
Wed Dec 10 11:27:23 EST 2014

Didn't see this in current sets, so here goes. Seen this in the 
wild...attaching as an image for safety.  The Shockwave file does a 
simple URLrequest.  Interesting thing to note was the ETag in the 

GET /f4ce3f4ef065f157d07dd20977598b0e.swf HTTP/1.1
Accept: */*
Accept-Language: en-US
Referer: <redacted>www.futurehopping.com / self-sustaining-greenhouse/
x-flash-version: 14,0,0,176
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; 
Host: 2dollarpeepshow.com
Cache-Control: max-stale=0
Connection: Keep-Alive
Pragma: no-cache

HTTP/1.1 200 OK
Date: Tue, 09 Dec 2014 23:55:31 GMT
Server: Apache/2.2.15 (CentOS)
Last-Modified: Tue, 02 Dec 2014 15:35:51 GMT
ETag: "2f184b-3bc-5093d7b5e83c0"
Accept-Ranges: bytes
Content-Length: 956
Connection: close
Content-Type: application/x-shockwave-flash

Not sure if this is isolated, or an infection of some sort....the 
iframe parameter might be able to be sig'd up as well:

<redacted>iframe name="37BF769D6F28F3EA27520E9EC44C0644" 

Anyway sig here:
(msg:"MALWARE-OTHER Malicious Shockwave redirect script"; 
content:"|2e|swf"; fast_pattern:only; pcre:"/[0-9a-z]{16}\.swf/"; 
metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
drop, service http; reference: 
classtype:trojan-activity; sid:10000147; rev:1;)

All the previous names are 16 characters (thanks VT) so that's what I'm 
matching on..might help out someone somewhere...thoughts and fixes are 
welcome..thanks all.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 2014-12-10 09_07_27-_new  1 - Notepad++.png
Type: application/octet-stream
Size: 38424 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141210/865541a4/attachment.obj>

More information about the Snort-sigs mailing list