[Snort-sigs] Offer a new sig for detecting JS_JITON Malware

Joshua Williams joshuwi2 at ...435...
Mon Apr 11 15:51:30 EDT 2016


Hi rmkml,

Thanks for your submission. I'll review and test these rules and get back
to you when they're finished.

V.r.,
Josh Williams
Research Engineer
VRT

On Mon, Apr 11, 2016 at 3:48 PM, rmkml <rmkml at ...4129...> wrote:

> Hi,
>
> First, Thx @TrendMicro for sharing,
>
> The http://etplc.org open source project offer a new sig for detecting
> JS_JITON:
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-MISC
> JS_JITON Malware possible attempt"; flow:to_server,established;
> content:".tongjii."; nocase; http_header; content:".js"; nocase; http_uri;
> pcre:"/Host\x3a[^\r\n]*?\.tongjii\./Hi";
> reference:url,
> blog.trendmicro.com/trendlabs-security-intelligence/mobile-devices-used-to-execute-dns-malware-against-home-routers/
> ;
> classtype:misc-attack; sid:1; rev:1;)
>
> See reference for more information.
>
> Don't forget check variables.
>
> Please send any comments.
>
> Regards
> @Rmkml
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
>



-- 
V/r,
Josh Williams
Research Engineer
VRT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20160411/11926f56/attachment.html>


More information about the Snort-sigs mailing list