[Snort-sigs] [Emerging-Sigs] Malicious swf sig

Will Metcalf william.metcalf at ...2420...
Wed Dec 10 15:58:03 EST 2014


Will check into those on the ET side. For some reason I think I've seen
leading dir sometimes could be wrong though..

Regards,

Will

On Wed, Dec 10, 2014 at 1:09 PM, James Lay <jlay at ...3266...> wrote:

> On 2014-12-10 11:11 AM, Shefferman, Ian wrote:
>
>> So far I've seen these Flash files used primarily (and probably
>> solely) to redirect to Angler exploit kit "32x32" gates. A typical
>> chain is as follows:
>>
>> (Source: http://malware-traffic-analysis.net/2014/10/30/index.html)
>>
>> GET kj-invest.com/2de96bd378d6e6614297e27284fdb335.swf
>> POST
>>
>> newfamilynutrition.com/c9e9975e0f51af3ce1354090fb303d8e.php?q=
>> 87086c5336208ce7836edca90ecc8d25
>> # this POST request is made by the SWF
>> GET qwe.leucaenaleucocephalaporno.net/7xibe37z48 # actual Angler EK
>> GET
>>
>> qwe.leucaenaleucocephalaporno.net/4PJOZWsxU4AMjReTBUSHArovOS32pW
>> Lvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
>>
>> The SWF receives parameters dynamically through HTML param attributes
>> to determine where to redirect.
>>
>> -----Original Message-----
>> From: emerging-sigs-bounces at ...3694...
>> [mailto:emerging-sigs-bounces at ...3694...] On Behalf Of
>> James Lay
>> Sent: Wednesday, December 10, 2014 11:27 AM
>> To: Snort-sigs; Emerging
>> Subject: [Emerging-Sigs] Malicious swf sig
>>
>> Didn't see this in current sets, so here goes. Seen this in the
>> wild...attaching as an image for safety.  The Shockwave file does a
>> simple URLrequest.  Interesting thing to note was the ETag in the
>> response:
>>
>> GET /f4ce3f4ef065f157d07dd20977598b0e.swf HTTP/1.1
>> Accept: */*
>> Accept-Language: en-US
>> Referer: <redacted>www.futurehopping.com / self-sustaining-greenhouse/
>> x-flash-version: 14,0,0,176
>> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64;
>> Trident/5.0)
>> Host: 2dollarpeepshow.com
>> Cache-Control: max-stale=0
>> Connection: Keep-Alive
>> Pragma: no-cache
>>
>> HTTP/1.1 200 OK
>> Date: Tue, 09 Dec 2014 23:55:31 GMT
>> Server: Apache/2.2.15 (CentOS)
>> Last-Modified: Tue, 02 Dec 2014 15:35:51 GMT
>> ETag: "2f184b-3bc-5093d7b5e83c0"
>> Accept-Ranges: bytes
>> Content-Length: 956
>> Connection: close
>> Content-Type: application/x-shockwave-flash
>>
>> Not sure if this is isolated, or an infection of some sort....the
>> iframe parameter might be able to be sig'd up as well:
>>
>> <redacted>iframe name="37BF769D6F28F3EA27520E9EC44C0644"
>> id="37BF769D6F28F3EA27520E9EC44C0644"
>>
>> style="position:absolute;top:5000px;left:5000px;width:
>> 300px;height:300px;"></iframe<redacted>
>>
>> Anyway sig here:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
>> (msg:"MALWARE-OTHER Malicious Shockwave redirect script";
>> content:"|2e|swf"; fast_pattern:only; pcre:"/[0-9a-z]{16}\.swf/";
>> metadata:impact_flag red, policy balanced-ips drop, policy
>> security-ips drop, service http; reference:
>>
>> url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b
>> 8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977;"
>>
>> classtype:trojan-activity; sid:10000147; rev:1;)
>>
>> All the previous names are 16 characters (thanks VT) so that's what
>> I'm matching on..might help out someone somewhere...thoughts and fixes
>> are welcome..thanks all.
>>
>> James
>>
>
> Ok..this one should be a little better..clearly I'm not good at making
> sigs ;) :
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER
> Angler Landing Gate"; content:"|2e|swf"; fast_pattern:only; pcre:"/GET
> |2f|[0-9a-z]{16}\.swf/"; metadata:impact_flag red, policy balanced-ips
> drop, policy security-ips drop, service http; reference: url,
> www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b
> 8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977;
> classtype:trojan-activity; sid:10000147; rev:3;)
>
> James
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...3694...
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141210/e1b78283/attachment.html>


More information about the Snort-sigs mailing list