[Snort-sigs] Offer a new sig for detecting JS_JITON Malware

rmkml rmkml at ...4129...
Mon Apr 11 15:48:52 EDT 2016


Hi,

First, Thx @TrendMicro for sharing,

The http://etplc.org open source project offer a new sig for detecting JS_JITON:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC JS_JITON Malware possible attempt"; flow:to_server,established;
content:".tongjii."; nocase; http_header; content:".js"; nocase; http_uri; pcre:"/Host\x3a[^\r\n]*?\.tongjii\./Hi";
reference:url,blog.trendmicro.com/trendlabs-security-intelligence/mobile-devices-used-to-execute-dns-malware-against-home-routers/;
classtype:misc-attack; sid:1; rev:1;)

See reference for more information.

Don't forget check variables.

Please send any comments.

Regards
@Rmkml




More information about the Snort-sigs mailing list