[Snort-sigs] Osx.Adware.IronCore

Y M snort at ...3751...
Fri Feb 17 11:16:10 EST 2017


Hello,


This came in as a "Surf Buyer" app for OS X. Any web page opens in Chrome/Safari/Firefox will result in a new tab opening/redirecting to a site with a self-signed certificate. Below rules are for detecting the outbound connections. Couldn't trigger on the self-signed certificate exchange! Pcap is available for this one.


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.IronCore report status"; flow:to_server,established; content:"GET"; http_method; content:"/report/?application="; fast_pattern:only; http_uri; content:"&guid="; http_uri; content:"&details="; http_uri; content:"&action="; http_uri; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:1000841; rev:1;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.IronCore ad inject"; flow:to_server,established; urilen:>1000; content:"GET"; http_method; content:"/click?h="; fast_pattern:only; http_uri; content:"&subid="; http_uri; content:"&data_fb="; http_uri; content:"&data_rtt="; http_uri; content:"&data_proto="; http_uri; content:"&data_ic="; content:"&data_ss="; http_uri; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:1000842; rev:1;)


Thanks.

YM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20170217/24b6d7cd/attachment.html>


More information about the Snort-sigs mailing list