[Snort-sigs] Wirelurker A and B

James Lay jlay at ...3266...
Thu Nov 6 11:47:19 EST 2014


May help someone somewhere...a quick search of 
http://www.ua-tracker.com/ showed no known UA with globalupdate, so I 
figured I'd just look for that and be done with it.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC 
OSX.Trojan.Wirelurker.AB"; flow:to_server,established; 
content:"User-Agent|3A|globalupdate"; fast_pattern:only; 
metadata:impact_flag red, policy balanced-ips drop, policy security-ips 
drop, service http; reference: 
url,researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware; 
classtype:trojan-activity; sid:10000138; rev:1;)

Rev C uses encrypted channels, so uh...hope you don't get C.  As always 
fixes are welcome.

James




More information about the Snort-sigs mailing list