[Snort-sigs] IP address check to anonymous-servers.com

Tony Robinson deusexmachina667 at ...2420...
Fri Jul 25 11:49:16 EDT 2014


Got some interesting indicators from MalwareMustDie that there are
some malware variants that check anonymous-servers.com/ip/ip.php to
figure out where they're at. I wrote a couple of snort rules.
Apologies if these have already been submitted.

URI possible IP address check to anonymous-servers.com";
flow:to_server,established; content:"GET"; http_method;
content:"/ip/ip.php"; fast_pattern:only; http_uri;
metadata:security-ips drop service http; classtype:trojan-activity;
sid:1000000; rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
request to anonymous-servers.com"; flow:to_server;
byte_test:1,!&,0xF8,2; content:"|11|anonymous-servers|03|com";
fast_pattern:only; metadata:policy security-ips drop, service dns;
classtype:trojan-activity; sid:1000001; rev:1;)

comments? improvements?

when does reality end? when does fantasy begin?

More information about the Snort-sigs mailing list