[Snort-sigs] [Emerging-Sigs] Malicious swf sig

James Lay jlay at ...3266...
Wed Dec 10 14:01:35 EST 2014


On 2014-12-10 11:11 AM, Shefferman, Ian wrote:
> So far I've seen these Flash files used primarily (and probably
> solely) to redirect to Angler exploit kit "32x32" gates. A typical
> chain is as follows:
>
> (Source: http://malware-traffic-analysis.net/2014/10/30/index.html)
>
> GET kj-invest.com/2de96bd378d6e6614297e27284fdb335.swf
> POST
> 
> newfamilynutrition.com/c9e9975e0f51af3ce1354090fb303d8e.php?q=87086c5336208ce7836edca90ecc8d25
> # this POST request is made by the SWF
> GET qwe.leucaenaleucocephalaporno.net/7xibe37z48 # actual Angler EK
> GET
> 
> qwe.leucaenaleucocephalaporno.net/4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
>
> The SWF receives parameters dynamically through HTML param attributes
> to determine where to redirect.
>
> -----Original Message-----
> From: emerging-sigs-bounces at ...3694...
> [mailto:emerging-sigs-bounces at ...3694...] On Behalf Of
> James Lay
> Sent: Wednesday, December 10, 2014 11:27 AM
> To: Snort-sigs; Emerging
> Subject: [Emerging-Sigs] Malicious swf sig
>
> Didn't see this in current sets, so here goes. Seen this in the
> wild...attaching as an image for safety.  The Shockwave file does a
> simple URLrequest.  Interesting thing to note was the ETag in the
> response:
>
> GET /f4ce3f4ef065f157d07dd20977598b0e.swf HTTP/1.1
> Accept: */*
> Accept-Language: en-US
> Referer: <redacted>www.futurehopping.com / 
> self-sustaining-greenhouse/
> x-flash-version: 14,0,0,176
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
> Trident/5.0)
> Host: 2dollarpeepshow.com
> Cache-Control: max-stale=0
> Connection: Keep-Alive
> Pragma: no-cache
>
> HTTP/1.1 200 OK
> Date: Tue, 09 Dec 2014 23:55:31 GMT
> Server: Apache/2.2.15 (CentOS)
> Last-Modified: Tue, 02 Dec 2014 15:35:51 GMT
> ETag: "2f184b-3bc-5093d7b5e83c0"
> Accept-Ranges: bytes
> Content-Length: 956
> Connection: close
> Content-Type: application/x-shockwave-flash
>
> Not sure if this is isolated, or an infection of some sort....the
> iframe parameter might be able to be sig'd up as well:
>
> <redacted>iframe name="37BF769D6F28F3EA27520E9EC44C0644"
> id="37BF769D6F28F3EA27520E9EC44C0644"
> 
> style="position:absolute;top:5000px;left:5000px;width:300px;height:300px;"></iframe<redacted>
>
> Anyway sig here:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
> (msg:"MALWARE-OTHER Malicious Shockwave redirect script";
> content:"|2e|swf"; fast_pattern:only; pcre:"/[0-9a-z]{16}\.swf/";
> metadata:impact_flag red, policy balanced-ips drop, policy
> security-ips drop, service http; reference:
> 
> url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977;"
>
> classtype:trojan-activity; sid:10000147; rev:1;)
>
> All the previous names are 16 characters (thanks VT) so that's what
> I'm matching on..might help out someone somewhere...thoughts and 
> fixes
> are welcome..thanks all.
>
> James


Ya this needs more work...clearly as I run it now.  More to follow.

James




More information about the Snort-sigs mailing list