[Snort-sigs] IP address check to anonymous-servers.com
deusexmachina667 at ...2420...
Fri Jul 25 11:49:16 EDT 2014
Got some interesting indicators from MalwareMustDie that there are
some malware variants that check anonymous-servers.com/ip/ip.php to
figure out where they're at. I wrote a couple of snort rules.
Apologies if these have already been submitted.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLACKLIST
URI possible IP address check to anonymous-servers.com";
flow:to_server,established; content:"GET"; http_method;
content:"/ip/ip.php"; fast_pattern:only; http_uri;
metadata:security-ips drop service http; classtype:trojan-activity;
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"BLACKLIST DNS
request to anonymous-servers.com"; flow:to_server;
fast_pattern:only; metadata:policy security-ips drop, service dns;
classtype:trojan-activity; sid:1000001; rev:1;)
when does reality end? when does fantasy begin?
More information about the Snort-sigs