[Snort-sigs] [Emerging-Sigs] Malicious swf sig

James Lay jlay at ...3266...
Wed Dec 10 16:29:29 EST 2014


 

On 2014-12-10 01:58 PM, Will Metcalf wrote: 

> Will check into
those on the ET side. For some reason I think I've seen leading dir
sometimes could be wrong though.. 
> Regards, 
> Will 
> 
> On Wed, Dec
10, 2014 at 1:09 PM, James Lay <jlay at ...3266... [15]> wrote:
>

>> On 2014-12-10 11:11 AM, Shefferman, Ian wrote:
>> 
>>> So far I've
seen these Flash files used primarily (and probably
>>> solely) to
redirect to Angler exploit kit "32x32" gates. A typical
>>> chain is as
follows:
>>> 
>>> (Source:
http://malware-traffic-analysis.net/2014/10/30/index.html [1])
>>> 
>>>
GET kj-invest.com/2de96bd378d6e6614297e27284fdb335.swf [2]
>>> POST
>>>

>>>
newfamilynutrition.com/c9e9975e0f51af3ce1354090fb303d8e.php?q=87086c5336208ce7836edca90ecc8d25
[3]
>>> # this POST request is made by the SWF
>>> GET
qwe.leucaenaleucocephalaporno.net/7xibe37z48 [4] # actual Angler EK
>>>
GET
>>> 
>>>
qwe.leucaenaleucocephalaporno.net/4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
[5]
>>> 
>>> The SWF receives parameters dynamically through HTML param
attributes
>>> to determine where to redirect.
>>> 
>>> -----Original
Message-----
>>> From: emerging-sigs-bounces at ...3694...
[6]
>>> [mailto:emerging-sigs-bounces at ...3694... [7]] On
Behalf Of
>>> James Lay
>>> Sent: Wednesday, December 10, 2014 11:27
AM
>>> To: Snort-sigs; Emerging
>>> Subject: [Emerging-Sigs] Malicious
swf sig
>>> 
>>> Didn't see this in current sets, so here goes. Seen
this in the
>>> wild...attaching as an image for safety. The Shockwave
file does a
>>> simple URLrequest. Interesting thing to note was the
ETag in the
>>> response:
>>> 
>>> GET
/f4ce3f4ef065f157d07dd20977598b0e.swf HTTP/1.1
>>> Accept: */*
>>>
Accept-Language: en-US
>>> Referer: www.futurehopping.com [8] /
self-sustaining-greenhouse/
>>> x-flash-version: 14,0,0,176
>>>
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1;
WOW64;
>>> Trident/5.0)
>>> Host: 2dollarpeepshow.com [9]
>>>
Cache-Control: max-stale=0
>>> Connection: Keep-Alive
>>> Pragma:
no-cache
>>> 
>>> HTTP/1.1 200 OK
>>> Date: Tue, 09 Dec 2014 23:55:31
GMT
>>> Server: Apache/2.2.15 (CentOS)
>>> Last-Modified: Tue, 02 Dec
2014 15:35:51 GMT
>>> ETag: "2f184b-3bc-5093d7b5e83c0"
>>>
Accept-Ranges: bytes
>>> Content-Length: 956
>>> Connection: close
>>>
Content-Type: application/x-shockwave-flash
>>> 
>>> Not sure if this is
isolated, or an infection of some sort....the
>>> iframe parameter might
be able to be sig'd up as well:
>>> 
>>> iframe
name="37BF769D6F28F3EA27520E9EC44C0644"
>>>
id="37BF769D6F28F3EA27520E9EC44C0644"
>>> 
>>>
style="position:absolute;top:5000px;left:5000px;width:300px;height:300px;">redacted>
>>>

>>> Anyway sig here:
>>> alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS
>>> (msg:"MALWARE-OTHER Malicious Shockwave redirect
script";
>>> content:"|2e|swf"; fast_pattern:only;
pcre:"/[0-9a-z]{16}.swf/";
>>> metadata:impact_flag red, policy
balanced-ips drop, policy
>>> security-ips drop, service http;
reference:
>>> 
>>>
url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977
[10];"
>>> 
>>> classtype:trojan-activity; sid:10000147; rev:1;)
>>>

>>> All the previous names are 16 characters (thanks VT) so that's
what
>>> I'm matching on..might help out someone somewhere...thoughts
and fixes
>>> are welcome..thanks all.
>>> 
>>> James
>> Ok..this one
should be a little better..clearly I'm not good at making sigs ;) :
>>

>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"MALWARE-OTHER Angler Landing Gate"; content:"|2e|swf";
fast_pattern:only; pcre:"/GET |2f|[0-9a-z]{16}.swf/";
metadata:impact_flag red, policy balanced-ips drop, policy security-ips
drop, service http; reference:
url,www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977
[11]; classtype:trojan-activity; sid:10000147; rev:3;)
>> 
>> James 
>>

>> _______________________________________________
>> Emerging-sigs
mailing list
>> Emerging-sigs at ...3694... [12]
>>
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs [13]
>>

>> Support Emerging Threats! Subscribe to Emerging Threats Pro
http://www.emergingthreats.net [14]

Interesting....the one I saw had no
leading directory...and 16 characters instead of 32. 

James


Links:
------
[1]
http://malware-traffic-analysis.net/2014/10/30/index.html
[2]
http://kj-invest.com/2de96bd378d6e6614297e27284fdb335.swf
[3]
http://newfamilynutrition.com/c9e9975e0f51af3ce1354090fb303d8e.php?q=87086c5336208ce7836edca90ecc8d25
[4]
http://qwe.leucaenaleucocephalaporno.net/7xibe37z48
[5]
http://qwe.leucaenaleucocephalaporno.net/4PJOZWsxU4AMjReTBUSHArovOS32pWLvpt0cwm0sEion8J7ahaP62dkHtp-auIWi
[6]
mailto:emerging-sigs-bounces at ...3694...
[7]
mailto:emerging-sigs-bounces at ...3694...
[8]
http://www.futurehopping.com
[9] http://2dollarpeepshow.com
[10]
http://www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977
[11]
http://www.virustotal.com/en/file/f4e0c392b0249bd307b818cffa8a5b8ee5259a44fa0405f445e279da7e1206e6/analysis/1418224977
[12]
mailto:Emerging-sigs at ...3694...
[13]
https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
[14]
http://www.emergingthreats.net
[15] mailto:jlay at ...3266...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141210/484ffb19/attachment.html>


More information about the Snort-sigs mailing list