[Snort-sigs] JackPOS sig

James Espinosa jamesejr at ...2420...
Tue Feb 11 17:42:55 EST 2014


Thanks, James. Although, in the POST request referenced in the SpiderLabs
blog, the user agent string has a space (ie. User-Agent: something). I also
had issues producing an alert while testing. I removed the *file_data* keyword
from the rule and it fired correctly (the user agent string is seen in
requests going from internal to external (exfil), but not in the return
traffic). Please correct me if I'm wrong, but perhaps this might work?

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS
User-Agent
detected"; flow:to_server,established; content:"User-Agent|3A| something";
http_header; fast_pattern:only; metadata:policy balanced-ips drop, policy
security-ips drop, service http; reference:url,
blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html;
classtype:trojan-activity;
sid:10000125; rev:1;)


On Tue, Feb 11, 2014 at 2:46 PM, James Lay <jlay at ...3266...> wrote:

> alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC JackPOS
> User-Agent detected"; flow:to_server,established; file_data;
> content:"User-Agent|3A|something"; http_header; fast_pattern:only;
> metadata:policy balanced-ips drop, policy security-ips drop, service
> http;
> reference:url,
> blog.spiderlabs.com/2014/02/jackpos-the-house-always-wins.html;
> classtype:trojan-activity; sid:10000125; rev:1;)
>
> PoS Malware..what a pain.
>
> James
>
>
> ------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
> http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140211/11a33a7d/attachment.html>


More information about the Snort-sigs mailing list